EXECUTIVE SUMMARY:
Two high‑severity SQL injection vulnerabilities were identified in FacturaScripts, an open‑source web application framework. The first flaw allows SQL injection through the autocomplete actions feature, where unsanitized user input is included directly in database queries, enabling authenticated attackers to extract sensitive information such as user credentials and business data. The second issue exists in the REST APIs sorting functionality, where the sort of parameter is improperly concatenated into the SQL ORDER BY clause without validation, allowing authenticated API users to craft arbitrary SQL queries that could expose confidential data or compromise systems. Both vulnerabilities highlight insufficient input validation and could be exploited remotely by authenticated users to manipulate backend queries and access or exfiltrate sensitive information if applications are deployed with vulnerable versions.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: