Name of the Vulnerable Software and Affected Versions:

diskover-web version 2.3.0

Description:

The application is susceptible to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Improper input validation and parameterization in JSON-based query construction allows attackers to inject arbitrary SQLite expressions through unsanitized user input in POST parameters such as `ES PASS`, `ES MAXSIZE`, `ES TRANSLOGSIZE`, `ES TIMEOUT`, `ES USER`, `ES HOST`, `ES PORT`, `ES SCROLLSIZE`, and `ES CHUNKSIZE`. Successful exploitation can lead to the inference or extraction of sensitive information from the underlying database without authentication.

Recommendations:

At the moment, there is no information about a newer version that contains a fix for this vulnerability.