CVE-2023-41262

Name of the Vulnerable Software and Affected Versions Plixer Scrutinizer versions prior to 19.3.1

Description An issue was discovered in the /fcgi/scrut fcgi.fcgi endpoint, specifically in the csvExportReport endpoint action generateCSV, which is vulnerable to SQL injection through the sorting parameter. This allows an unauthenticated user to execute arbitrary SQL statements in the context of the application's backend database server.

Recommendations For versions prior to 19.3.1, update to version 19.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /fcgi/scrut fcgi.fcgi endpoint or disabling the generateCSV action in the csvExportReport endpoint until a patch is available. Avoid using the sorting parameter in the affected endpoint until the issue is resolved.