Kados R10 GreenBee SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Kados R10 GreenBee, a web-based tool for managing Scrum projects. This vulnerability allows attackers to inject malicious SQL code through the 'id_to_delete' parameter, enabling them to manipulate database queries and potentially extract or modify sensitive information from the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the 'projects.php' or 'news.php' files within the Kados application. The request must include the 'id_to_delete' parameter with a payload that exploits the SQL injection flaw, such as a SQL statement that manipulates the query execution.