CVE-2018-16659

Name of the Vulnerable Software and Affected Versions Rausoft ID.prove version 2.95

Description An issue was discovered that allows SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter on the login page. This could potentially be used for privilege elevation, for example, by utilizing master..xp cmdshell.

Recommendations For Rausoft ID.prove version 2.95, consider restricting access to the login page or validating and sanitizing the Username parameter to prevent SQL injection attacks. As a temporary workaround, consider disabling the login functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.