Executive Summary

A SQL injection vulnerability has been discovered in mjperpinosa stumasy up to version 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The vulnerability is located in the Notes_controller::accessing_dictionary_authorization function and can be exploited remotely. The CVSS score for this vulnerability is 7.3, indicating a high severity level.

Technical Analysis

The vulnerability is a SQL injection vulnerability, which occurs when user input is not properly sanitized and is used to construct SQL queries. In this case, the vulnerability is located in the Notes_controller::accessing_dictionary_authorization function of the file application/PHP/objects/notes/accessing_dictionary_authorization.php. The manipulation of the argument Password results in SQL injection. The attack may be performed from remote.

How It Gets Exploited

An attacker can exploit this vulnerability by sending a crafted request to the application, specifically to the Notes_controller::accessing_dictionary_authorization function. The attacker would need to manipulate the Password argument in such a way that it injects malicious SQL code. For example, an attacker could send a request with a Password argument that contains malicious SQL code, such as a UNION statement or a comment that injects malicious SQL. If the application does not properly validate and sanitize the input, the malicious SQL code could be executed, potentially allowing the attacker to access sensitive data or perform other malicious actions.

Impact Assessment

The impact of this vulnerability is significant, as it could allow an attacker to access sensitive data or perform other malicious actions. The CVSS score for this vulnerability is 7.3, indicating a high severity level. The vulnerability affects mjperpinosa stumasy up to version 327d1b0f2915ba79d7ef8ebb74553e987609d9be.

Recommended Actions

To mitigate this vulnerability, it is recommended to update mjperpinosa stumasy to a version that is not affected by this vulnerability. Additionally, it is recommended to implement input validation and sanitization to prevent SQL injection attacks. Specifically, the application should validate and sanitize the Password argument in the Notes_controller::accessing_dictionary_authorization function to prevent malicious SQL code from being injected.

Sources

- National Vulnerability Database (NVD) - CVE-2026-14750