CVE-2025-50984

Name of the Vulnerable Software and Affected Versions: diskover-web version 2.3.0

Description: The application is susceptible to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Improper input validation and parameterization in JSON-based query construction allows attackers to inject arbitrary SQLite expressions through unsanitized user input in POST parameters such as ES PASS, ES MAXSIZE, ES TRANSLOGSIZE, ES TIMEOUT, ES USER, ES HOST, ES PORT, ES SCROLLSIZE, and ES CHUNKSIZE. Successful exploitation can lead to the inference or extraction of sensitive information from the underlying database without authentication.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.