Damián Saura

**Name of the Vulnerable Software and Affected Versions** BugTracker.NET versions prior to 3.4.5 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via several parameters, including `qu id` in "bugs.aspx", `row id` in "delete query.aspx", `new project` or `us id` in "edit bug.aspx", and `bug list` in "massedit.aspx". **Recommendations** For versions prior to 3.4.5, update to version 3.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "bugs.aspx", "delete query.aspx", "edit bug.aspx", and "massedit.aspx", and avoid using the vulnerable parameters `qu id`, `row id`, `new project`, `us id`, and `bug list` until the update is applied.