CVE-2023-3208

Name of the Vulnerable Software and Affected Versions RoadFlow Visual Process Engine .NET Core Mvc version 2.13.3

Description A critical issue has been found in the Login component of the affected software, specifically in the file "/Log/Query?appid=0B736354-9473-4D66-B9C0-15CAC149EB05&tabid=tab 0B73635494734D66B9C015CAC149EB05". The manipulation of the sidx and sord arguments leads to SQL injection. This issue can be exploited remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted about this issue but did not respond.

Recommendations For version 2.13.3, as a temporary workaround, consider restricting access to the "/Log/Query" endpoint until a patch is available. Additionally, avoid using the sidx and sord arguments in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.