CVE-2021-47777

Name of the Vulnerable Software and Affected Versions Build Smart ERP version 21.0817

Description The software contains an unauthenticated SQL injection issue in the login validation endpoint. Attackers can inject SQL queries using payloads like ';WAITFOR DELAY '0:0:3'-- through the eidValue parameter. This could allow manipulation of database queries and potential extraction or modification of database information. The affected API endpoint is '/login'.

Recommendations Apply input validation and sanitization to the eidValue parameter in the login validation endpoint. Implement parameterized queries or prepared statements to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.