CVE-2023-42454

Name of the Vulnerable Software and Affected Versions SQLpage versions prior to 0.11.1

Description SQLpage is a SQL-only webapp builder. An attacker can retrieve database connection information from SQLpage and use it to connect to the database directly if the SQLpage instance is exposed publicly, the database connection string is specified in the sqlpage/sqlpage.json configuration file, the web root is the current working directory, and the database is exposed publicly.

Recommendations For SQLpage versions prior to 0.11.1, upgrade to version 0.11.1 as soon as possible. As a temporary workaround, consider using an environment variable instead of the configuration file to specify the database connection string. Using a different web root that is not a parent of the SQLPage configuration directory fixes the issue. Avoid exposing the database publicly.