CVE-2021-37413

Name of the Vulnerable Software and Affected Versions GRANDCOM DynWEB versions prior to 4.2

Description The issue allows a remote unauthenticated attacker to exploit a SQL Injection vulnerability in the admin login interface. This can lead to obtaining administrative access to the webpage, accessing the user database, modifying web content, and uploading custom files. The backend login script fails to verify and sanitize user-provided strings, such as username and password.

Recommendations For GRANDCOM DynWEB versions prior to 4.2, update to version 4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin login interface to minimize the risk of exploitation. Additionally, avoid using unsanitized user input in the backend login script until the issue is resolved.