A SQL injection vulnerability in App Broker 2018R1 and earlier allows local users to execute arbitrary SQL commands via the MachineName parameter.
The machine name sent by the client is not validated, and can be used to deliver SQL commands that would be interpreted by the database engine.
This issue has been resolved in App Broker 2019 R1. Please download the latest version of App Broker 2019 R1 from the PLC download area.
This issue has been tracked under issue number IOJ-1908386.
For release notes and resolved issues in App Broker 2019 R1, please visit:
https://helpnet.flexerasoftware.com/appportal/rn2019r1/AppPortalAppBroker2019r1ReleaseNotes.htm#resolve
Apr 30, 2019 07:16 AM