CVE-2024-7099

Summary

CVE-2024-7099 is a vulnerability affecting the netease-youdao/qanything package, specifically versions prior to 1.4.2. This issue involves unsafe handling of user data, which is concatenated in SQL queries without proper validation. Functions such as `get_knowledge_base_name`, `from_status_to_status`, `delete_files`, and `get_file_by_status` are susceptible to SQL injection attacks. An attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially gaining unauthorized access to sensitive information within the affected database. Users are strongly urged to upgrade to version 1.4.2 to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.