CVE-2018-7841

Name of the Vulnerable Software and Affected Versions U.motion Builder version 1.3.4

Description A SQL Injection issue exists in the software, which could cause unwanted code execution when an improper set of characters is entered. The vulnerability is related to incorrect handling of special symbols in SQL queries. Exploitation of the vulnerability may allow a remote attacker to execute arbitrary code using a specially crafted request. The issue is also associated with an unauthenticated command injection in the track import export.php file, specifically with the object id parameter.

Recommendations For version 1.3.4, consider disabling the track import export.php file or restricting access to it until a patch is available. Avoid using the object id parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.