关键漏洞信息 Advisory ID: usd-2022-0066 Product: Documize Affected Version: v5.4.2 (221021105923) Vulnerability Type: SQL Injection (CWE-89) Security Risk: Critical Vendor URL: https://www.documize.com Vendor Status: Not fixed CVE number: CVE-2023-23634 Description The parameter of the allows SQL Injection. Proof of Concept The following request was used to inject data into the SQL query using the parameter: Fix It is recommended to use prepared statements. Timeline 2022-12-16: First contact request via mail 2023-01-09: Second contact request via mail 2023-01-16: Try to contact vendor again 2023-02-02: Try to contact vendor again 2023-12-22: Publish advisory Credits This security vulnerability was identified by Christian Pöschl of usd AG.