Kados R10 GreenBee SQL Injection Vulnerability

An SQL injection vulnerability has been identified in Kados R10 GreenBee, a web-based tool for managing Scrum projects. This vulnerability allows attackers to inject malicious SQL code through the 'language_tag' parameter, potentially leading to unauthorized access to sensitive database information or manipulation of data. The issue arises from improper validation of user input, enabling SQL injection attacks that could exploit the application's database interactions.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to extract or modify sensitive information.

Reproduction

The vulnerability can be reproduced by sending a crafted request to 'kados/administration/languages.php' with the 'language_tag' parameter. The injected SQL payload can be designed to, for example, extract data from the database by exploiting the application's SQL query handling.