CVE-2018-7765

Name of the Vulnerable Software and Affected Versions Schneider Electric U.motion Builder software versions prior to v1.3.4

Description The issue exists in the processing of track import export.php, where the underlying SQLite database query is subject to SQL injection on the object id input parameter. This allows a remote attacker to execute arbitrary SQL queries on the SQLite database using the object id parameter.

Recommendations For versions prior to v1.3.4, update to version v1.3.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the track import export.php script to minimize the risk of exploitation. Avoid using the object id parameter in the affected script until the issue is resolved.