Nehru Sethuraman

**Name of the Vulnerable Software and Affected Versions** Build Smart ERP version 21.0817 **Description** The software contains an unauthenticated SQL injection issue in the login validation endpoint. Attackers can inject SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- through the `eidValue` parameter. This could allow manipulation of database queries and potential extraction or modification of database information. The affected API endpoint is '/login'. **Recommendations** Apply input validation and sanitization to the `eidValue` parameter in the login validation endpoint. Implement parameterized queries or prepared statements to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.