Nguyen Hong Phuc

**Name of the Vulnerable Software and Affected Versions** Polaris FT Intellect Core Banking version 9.5 **Description** An issue was discovered in the Interllect Core Search, where input passed through the `groupType` parameter in "/SCGController" is mishandled before being used in SQL queries, allowing SQL injection in an authenticated session. **Recommendations** For Polaris FT Intellect Core Banking version 9.5, as a temporary workaround, consider restricting access to the `/SCGController` endpoint or disabling the use of the `groupType` parameter until a patch is available. Avoid using the `groupType` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.