CVE-2023-7146

Name of the Vulnerable Software and Affected Versions gopeak MasterLab versions up to 3.3.10

Description A critical issue has been found in the HTTP POST Request Handler component, specifically affecting the function sqlInjectDelete() of the file app/ctrl/framework/Feature.php. The manipulation of the argument phone leads to sql injection. The exploit has been disclosed to the public and may be used.

Recommendations For gopeak MasterLab versions up to 3.3.10, consider disabling the sqlInjectDelete() function as a temporary workaround until a patch is available. Restrict access to the app/ctrl/framework/Feature.php file to minimize the risk of exploitation. Avoid using the phone argument in the affected HTTP POST Request Handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.