Billv-Lists

**Name of the Vulnerable Software and Affected Versions** ClassApps SelectSurvey.NET versions prior to 4.125.002 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `SurveyID` parameter to "/survey/ReviewReadOnlySurvey.aspx" or remote authenticated users to execute arbitrary SQL commands via the `SurveyID` parameter to "/survey/UploadImagePopupToDb.aspx". **Recommendations** For versions prior to 4.125.002, update to version 4.125.002 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/survey/ReviewReadOnlySurvey.aspx" and "/survey/UploadImagePopupToDb.aspx" API endpoints until the update is applied. Avoid using the `SurveyID` parameter in these endpoints until the issue is resolved.