Ilya Timchenko

**Name of the Vulnerable Software and Affected Versions** Rausoft ID.prove version 2.95 **Description** An issue was discovered that allows SQL injection via Microsoft SQL Server stacked queries in the `Username` POST parameter on the login page. This could potentially be used for privilege elevation, for example, by utilizing `master..xp cmdshell`. **Recommendations** For Rausoft ID.prove version 2.95, consider restricting access to the login page or validating and sanitizing the `Username` parameter to prevent SQL injection attacks. As a temporary workaround, consider disabling the login functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.