CVE-2021-45253

Name of the Vulnerable Software and Affected Versions: Simple Cold Storage Management System version 1.0

Description: The issue concerns a SQL injection vulnerability in the id parameter of the view storage.php file. This vulnerability allows an attacker to inject a SQL sub-query that calls MySQL's load file function with a UNC file path referencing a URL on an external domain. The fact that the application interacted with the external domain indicates the successful execution of the injected SQL query.

Recommendations: For Simple Cold Storage Management System version 1.0, consider disabling the id parameter in the view storage.php file as a temporary workaround until a patch is available. Restrict access to the view storage.php file to minimize the risk of exploitation. Avoid using the id parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.