CVE-2020-15947

Name of the Vulnerable Software and Affected Versions Loway QueueMetrics versions prior to 19.10.21

Description A SQL injection issue allows remote authenticated users to execute arbitrary SQL commands via the exportId parameter in the "qm adm/qm export stats run.do" endpoint.

Recommendations For versions prior to 19.10.21, update to version 19.10.21 or later to resolve the issue. As a temporary workaround, consider restricting access to the "qm adm/qm export stats run.do" endpoint until the update is applied. Avoid using the exportId parameter in the affected endpoint until the issue is resolved.