Enhancement #22346: [3.9.16][MIB][Android][MIB-2] Use of execSQL() with Unvalidated Input (SQL Injection Vulnerability) - BIBD 3.9.16 - S-MADP Customer Support & Information Center

Enhancement #22346

[3.9.16][MIB][Android][MIB-2] Use of execSQL() with Unvalidated Input (SQL Injection Vulnerability)

Added by Feerman Yusoff about 10 hours ago. Updated about 10 hours ago.

Status:

New

Start date:

18 August 2025

Priority:

Normal

Due date:

Assignee:

Abdul Halim Baharom

% Done:

Category:

Spent time:

Target version:

Description

Finding Summary: The method deleteTable(String str) in the file com/ecosystem/mobility/silverlake/slmobilesdk/control/SLSQLLite.class executes a raw SQL query to drop a table in the database using the following code:

getWritableDatabase().execSQL("DROP TABLE IF EXISTS " + str);

This implementation constructs a SQL query dynamically by concatenating the input parameter str directly into the SQL command. As a result, it exposes the application to a SQL Injection vulnerability. Specifically, if the value passed to str is controlled by an attacker, it could lead to malicious SQL queries being executed on the database.

History

#1 Updated by Feerman Yusoff about 10 hours ago

Subject changed from [3.9.16][MIB][iOS][MIB-7] Use of execSQL() with Unvalidated Input (SQL Injection Vulnerability) to [3.9.16][MIB][Android][MIB-7] Use of execSQL() with Unvalidated Input (SQL Injection Vulnerability)

#2 Updated by Feerman Yusoff about 10 hours ago

Subject changed from [3.9.16][MIB][Android][MIB-7] Use of execSQL() with Unvalidated Input (SQL Injection Vulnerability) to [3.9.16][MIB][Android][MIB-2] Use of execSQL() with Unvalidated Input (SQL Injection Vulnerability)

Also available in: Atom PDF

BIBD (Bank Islam Brunei Darussalam) » BIBD Mobile » BIBD 3.9.16

Issues

Custom queries