DESCOR INFOCAD 3.5.1 and before and fixed in v.3.5.2.0 allows SQL Injection.
The vulnerability consists of improper validation or lack of parameterization of input data passed to SQL queries (CWE-89). An attacker can inject arbitrary SQL code over the network without needing to have an account in the system. Due to the changed scope (Scope: Changed in the CVSS vector), exploitation can affect resources beyond the directly attacked component, such as other databases or systems sharing the environment.
An attacker can gain full access to data stored in the database (confidentiality), modify or delete data (integrity), and potentially cause system unavailability or execute commands at the database server level (availability).
Descor Infocad must be updated immediately to version 3.5.2.0, in which the vulnerability has been fixed. Detailed information is available in the vendor's changelog at https://www.infocadfm.com/changelog/sql-injection/
Descor Infocad in version 3.5.1 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HDescor Infocad
APPDescor< 3.5.2.0