Clinic Pro SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Clinic Pro versions through 4. This vulnerability allows authenticated attackers to manipulate database queries by injecting SQL code into the 'month' parameter. Exploitation can be achieved by sending POST requests to the 'monthly_expense_overview' endpoint, using crafted month values that leverage boolean-based blind, time-based blind, or error-based SQL injection techniques to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for unauthorized database access and information retrieval, potentially including sensitive data.

Reproduction

To reproduce this vulnerability, log in as an authenticated user and send a POST request to the 'monthly_expense_overview' endpoint. Include a crafted 'month' parameter value that exploits the SQL injection vulnerability. This can be done using boolean-based blind, time-based blind, or error-based SQL injection techniques.