📄 Description (English)
A weakness has been identified in OFCMS 1.1.3. The affected element is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SysUserController.java of the component JSON Query Interface. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
🤖 AI Executive Summary
CVE-2026-10204 is a SQL injection vulnerability in OFCMS 1.1.3's JSON Query Interface affecting the SysUserController component. With a CVSS score of 6.3 (medium severity), this remotely exploitable flaw allows attackers to manipulate database queries without authentication. The vulnerability poses significant risk as no patch is currently available and the project developers have not responded to early notifications.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 1, 2026 04:55
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using OFCMS 1.1.3 face significant risk, particularly in: Government agencies (NCA, CITC) managing citizen data through CMS platforms; Banking sector (SAMA-regulated institutions) if OFCMS is used for administrative interfaces; Healthcare providers (MOH) storing patient information; Telecommunications operators (STC, Mobily) managing customer portals. The SQL injection vulnerability could enable unauthorized database access, data exfiltration, privilege escalation, and potential lateral movement within critical infrastructure networks.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Telecommunications
Energy
Education
E-commerce
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1566 - Phishing (if combined with social engineering)
T1078 - Valid Accounts (privilege escalation post-exploitation)
T1005 - Data from Local System (database exfiltration)
T1021 - Remote Services (lateral movement)
T1040 - Network Sniffing (data interception)
T1110 - Brute Force (credential attacks via SQL injection)
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Inventory all OFCMS 1.1.3 deployments across your organization and isolate affected systems from production networks if possible
2. Implement network-level access controls restricting access to the JSON Query Interface (/ofcms-admin/src/main/java/com/ofsoft/cms/admin/controller/system/SysUserController) to authorized administrators only
3. Enable comprehensive logging and monitoring of all database queries and authentication attempts
COMPENSATING CONTROLS (until patch available):
4. Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in JSON payloads targeting the Query function
5. Implement input validation and parameterized queries at the application layer if source code access is available
6. Apply database-level restrictions: create read-only database accounts for the application and restrict administrative privileges
7. Enable SQL query auditing and anomaly detection
DETECTION RULES:
8. Monitor for SQL keywords (UNION, SELECT, DROP, INSERT, UPDATE, DELETE) in JSON Query parameters
9. Alert on unusual database connection patterns or privilege escalation attempts
10. Track failed authentication attempts followed by successful database access
LONG-TERM:
11. Evaluate alternative CMS solutions or request security updates from OFCMS developers
12. Plan migration away from OFCMS 1.1.3 to patched versions or alternative platforms
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. قم بحصر جميع نشرات OFCMS 1.1.3 عبر مؤسستك وعزل الأنظمة المتأثرة عن شبكات الإنتاج إن أمكن
2. تطبيق ضوابط الوصول على مستوى الشبكة لتقييد الوصول إلى واجهة الاستعلام JSON لمسؤولي النظام المصرح لهم فقط
3. تفعيل السجلات الشاملة ومراقبة جميع استعلامات قاعدة البيانات ومحاولات المصادقة
الضوابط البديلة (حتى توفر التصحيح):
4. نشر قواعد جدار الحماية (WAF) للكشف عن أنماط حقن SQL وحجبها في حمولات JSON
5. تطبيق التحقق من صحة المدخلات والاستعلامات المعاملة على مستوى التطبيق
6. تطبيق القيود على مستوى قاعدة البيانات: إنشاء حسابات قراءة فقط وتقييد الامتيازات الإدارية
7. تفعيل تدقيق استعلامات SQL والكشف عن الشذوذ
قواعد الكشف:
8. مراقبة كلمات SQL الرئيسية في معاملات الاستعلام JSON
9. تنبيهات على أنماط اتصال قاعدة البيانات غير العادية
10. تتبع محاولات المصادقة الفاشلة متبوعة بالوصول الناجح إلى قاعدة البيانات
المدى الطويل:
11. تقييم حلول CMS بديلة أو طلب تحديثات أمان من مطوري OFCMS
12. التخطيط للهجرة بعيداً عن OFCMS 1.1.3
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies (unauthorized database access)
ECC 2024 A.5.2.1 - User Registration and Access Management (authentication bypass)
ECC 2024 A.5.3.1 - Access Rights (privilege escalation via SQL injection)
ECC 2024 A.12.4.1 - Event Logging (insufficient logging of SQL queries)
ECC 2024 A.12.4.3 - Protection of Log Information (audit trail integrity)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (inventory OFCMS deployments)
SAMA CSF PR.AC-1 - Access Control (restrict JSON Query Interface access)
SAMA CSF PR.AC-4 - Access Management (authentication and authorization)
SAMA CSF DE.CM-1 - Detection Processes (monitor SQL injection attempts)
SAMA CSF RS.MI-2 - Incident Mitigation (contain affected systems)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of duties (database access controls)
ISO 27001:2022 A.8.1 - User endpoint devices (application security)
ISO 27001:2022 A.8.2 - Privileged access rights (principle of least privilege)
ISO 27001:2022 A.8.3 - Information access restriction (data protection)
ISO 27001:2022 A.12.4 - Logging (event logging and monitoring)
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws (SQL injection prevention)
PCI DSS 6.6 - Security testing and vulnerability scanning
PCI DSS 10.2 - Logging and monitoring of access to cardholder data
PCI DSS 10.3 - Protection of log files