CVE-2020-37163

Name of the Vulnerable Software and Affected Versions QuickDate version 1.3.2

Description The software contains a SQL injection issue that allows remote attackers to manipulate database queries. This is achieved through the located parameter in the /find matches API endpoint. Attackers can inject UNION-based SQL statements to extract database information, including user credentials, database name, and system version.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /find matches API endpoint or sanitize the located parameter to prevent SQL injection attacks.