a54552239 pearProjectApi SQL Injection Vulnerability in Backend Interface

A SQL injection vulnerability has been identified in a54552239 pearProjectApi versions through 2.8.10. The issue resides in the Backend Interface, specifically within the 'dateTotalForProject' function of 'application/common/Model/Task.php'. The vulnerability arises because the 'projectCode' parameter is user-controllable and is passed to the function without proper sanitization, allowing attackers to inject malicious SQL statements and potentially access sensitive information. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server.

Reproduction

To reproduce this vulnerability, send a POST request to '/index.php/project/Task/dateTotalForProject' with the 'projectCode' parameter set to a crafted value that includes SQL injection payloads. The request must include a valid authorization token and the 'Organizationcode' header. This can be done using tools like sqlmap to automate the exploitation process.