CVE-2021-38145

Name of the Vulnerable Software and Affected Versions: Form Tools versions 3.0.20 and earlier

Description: An issue allows SQL Injection to occur via the export group id field when a low-privileged user tries to export a form with data. This can be achieved through manipulation of the "modules/export manager/export.php" endpoint with parameters such as export group id, export group 1 results, and export type id.

Recommendations: For Form Tools versions 3.0.20 and earlier, as a temporary workaround, consider restricting access to the export group id field in the "modules/export manager/export.php" endpoint until a patch is available. Additionally, limit the privileges of low-privileged users to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.