Jaakko Hartikainen

**Name of the Vulnerable Software and Affected Versions** Kvaliitti WebDoc version 3.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `cat id` parameter to "categories.asp", and probably via the `document id` parameter to "categories.asp", as well as the `cat id` and `document id` parameters to "subcategory.asp". **Recommendations** For Kvaliitti WebDoc version 3.0, consider restricting access to the vulnerable parameters `cat id` and `document id` in the affected API endpoints "categories.asp" and "subcategory.asp" until a patch is available. Avoid using these parameters in the respective endpoints to minimize the risk of exploitation.