Kados R10 GreenBee SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Kados R10 GreenBee, a web-based tool for managing Scrum projects. This vulnerability allows attackers to inject malicious SQL code through the 'filter_user_mail' parameter, potentially leading to unauthorized access to sensitive database information or modification of data. The issue arises from improper validation of user input, enabling manipulation of SQL queries.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the 'administration/users.php' endpoint, including a SQL injection payload in the 'filter_user_mail' parameter. The injection can be verified by using payloads that, for example, extract database information or cause a time-based delay, indicating successful exploitation.