CVE-2019-25581

Name of the Vulnerable Software and Affected Versions i-doit CMDB version 1.12

Description The software contains an SQL injection issue that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can inject malicious code through the objGroupID parameter. By sending GET requests with crafted SQL payloads in the objGroupID parameter, attackers can extract sensitive database information, including usernames, database names, and version details. The vulnerable API endpoint is accessed via GET requests.

Recommendations Apply a fix to sanitize the objGroupID parameter to prevent SQL injection. As a temporary workaround, restrict access to the affected API endpoint.