Alpakalee

**Name of the Vulnerable Software and Affected Versions** Daptin versions prior to 0.11.5 **Description** An issue exists in the `processFuzzySearch` function within `server/resource/resource findallpaginated.go` where the software fails to validate the `column` parameter against a whitelist. When using the 'GET /api/<entity>' endpoint with the `operator` parameter set to `fuzzy`, `fuzzy any`, or `fuzzy all`, the user-supplied `column` value is split by commas and interpolated directly into raw SQL queries. This allows any authenticated user, including those who self-registered, to perform boolean-blind SQL injection to read the entire database. Technical details regarding the exploitation include: - **API Endpoint**: 'GET /api/<entity>' - **Vulnerable Parameters**: `column` and `operator` - **Vulnerable Function**: `processFuzzySearch()` Depending on the database driver, the injection may require specific `fuzzy options.fallback mode` values for PostgreSQL, MySQL, or MSSQL, while SQLite is vulnerable by default. **Recommendations** Update to version 0.11.5. As a temporary workaround, restrict access to the 'GET /api/<entity>' endpoint or avoid using the `fuzzy`, `fuzzy any`, and `fuzzy all` operators until the update is applied.