CVE-2023-2760

Name of the Vulnerable Software and Affected Versions TapHome versions prior to 2023.2

Description An SQL injection issue exists in the HandleMessageUpdateDevicePropertiesRequest function, allowing low-privileged users to inject arbitrary SQL directives into an SQL query. This enables the execution of arbitrary SQL commands, providing full reading access, and may also lead to limited write access and temporary Denial-of-Service.

Recommendations For versions prior to 2023.2, update to version 2023.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the HandleMessageUpdateDevicePropertiesRequest function until a patch is available.