CVE-2022-36787

Name of the Vulnerable Software and Affected Versions webvendome (affected versions not specified)

Description The issue is related to SQL Injection in the DocNumber parameter. It can be exploited through a GET request to the /webvendome/showfiles.aspx endpoint with a specially crafted DocNumber value. The request format is /webvendome/showfiles.aspx?jobnumber=null&Doc Number=HERE, where HERE represents the malicious input.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /webvendome/showfiles.aspx endpoint or sanitizing the DocNumber parameter to minimize the risk of exploitation. Avoid using the DocNumber parameter in the affected API endpoint until the issue is resolved.