CVE-2022-44012

Name of the Vulnerable Software and Affected Versions Simmeth Lieferantenmanager versions prior to 5.6

Description An issue was discovered in the "/DS/LM API/api/SelectionService/InsertQueryWithActiveRelationsReturnId" API endpoint. This allows an attacker to execute JavaScript code in the victim's browser when a site is loaded, potentially leading to the theft of the victim's encrypted password, which may then be decrypted.

Recommendations For versions prior to 5.6, consider disabling access to the "/DS/LM API/api/SelectionService/InsertQueryWithActiveRelationsReturnId" API endpoint until a patch is available. Update to version 5.6 or later to resolve the issue.