CVE-2019-25438

Name of the Vulnerable Software and Affected Versions LabCollector version 5.423

Description LabCollector version 5.423 has multiple SQL injection flaws. Unauthenticated attackers can execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of the ''login.php'' endpoint or the user name parameter of the ''retrieve password.php'' endpoint to extract sensitive database information without authentication.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the ''login.php'' and ''retrieve password.php'' endpoints. Sanitize the login parameter in ''login.php'' to prevent SQL injection. Sanitize the user name parameter in ''retrieve password.php'' to prevent SQL injection.