CVE-2019-1010034

Name of the Vulnerable Software and Affected Versions: Deepwoods Software WebLibrarian versions 3.5.2 and earlier

Description: The issue affects the Function AllBarCodes defined at database code.php line 1018, which is vulnerable to a boolean-based blind SQL injection. This can be triggered by any user logged-in with at least Volunteer role or manage circulation capabilities. The impact is exposing the entire database. The vulnerable endpoint is "/wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC".

Recommendations: For Deepwoods Software WebLibrarian versions 3.5.2 and earlier, as a temporary workaround, consider disabling the AllBarCodes function until a patch is available. Restrict access to the /wordpress/wp-admin/admin.php?page=weblib-circulation-desk&orderby=title&order=DESC endpoint to minimize the risk of exploitation. Ensure that only authorized users have the Volunteer role or manage circulation capabilities. At the moment, there is no information about a newer version that contains a fix for this vulnerability.