CVE-2018-1000630

Name of the Vulnerable Software and Affected Versions Battelle V2I Hub version 2.5.1

Description The issue allows a remote authenticated attacker to perform SQL injection. This can be achieved by sending specially-crafted SQL statements to "API Endpoints: /api/PluginStatusActions.php" and "/status/pluginStatus.php" using the jtSorting or id parameter. This could enable the attacker to view, add, modify, or delete information in the back-end database.

Recommendations For Battelle V2I Hub version 2.5.1, consider restricting access to the "API Endpoints: /api/PluginStatusActions.php" and "/status/pluginStatus.php" to minimize the risk of exploitation. Avoid using the jtSorting or id parameter in these affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.