CVE-2020-15308

Name of the Vulnerable Software and Affected Versions Support Incident Tracker (aka SiT! or SiTracker) version 3.67 p2

Description The issue allows post-authentication SQL injection via several parameters, including typeid or site in "site edit.php", search title in "search incidents advanced.php", or criteriafield in "report qbe.php".

Recommendations For version 3.67 p2, consider disabling access to the vulnerable parameters typeid, site, search title, and criteriafield in the respective PHP files until a patch is available. Restrict access to the "site edit.php", "search incidents advanced.php", and "report qbe.php" endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.