CVE-2023-2519

Name of the Vulnerable Software and Affected Versions Caton CTP Relay Server version 1.2.9

Description A critical issue has been found in the API component of the affected software, specifically in the /server/api/v1/login endpoint. The manipulation of the username and password arguments leads to SQL injection. This issue can be exploited remotely. The vendor was contacted about this disclosure but did not respond.

Recommendations For Caton CTP Relay Server version 1.2.9, as a temporary workaround, consider restricting access to the /server/api/v1/login endpoint until a patch is available. Avoid using the username and password arguments in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.