Francesco Pigini

**Name of the Vulnerable Software and Affected Versions** Nokia Broadcast Message Center versions prior to 11.1.0 **Description** The issue allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint "/owui/block/send-receive-updates" (for the Manage Alerts page) via the `extIdentifier` HTTP POST parameter. This enables an attacker to obtain the database user, database name, and database version information, and potentially database data. **Recommendations** For versions prior to 11.1.0, consider disabling access to the "/owui/block/send-receive-updates" endpoint until a patch is available. Restrict the use of the `extIdentifier` HTTP POST parameter in the affected endpoint to minimize the risk of exploitation.