Hi team,
While reviewing the source code for this application, I've noticed there is the possibility of injecting user controlled SQL statements which would allow for complete compromise of the application.
Note: The proof of concept is demonstrated in the Actual Exploitation
section.
{Edit by repo author: details temporarily redacted till the issue is fixed within a few days}
Lastly I just wanted to say thank you so much for releasing such awesome open source applications. I've had a lot of fun testing this application as the code is very well written and the application itself serves a realistic purpose.
Please let me know if you have any questions regarding this issue.
Best regards,
- mqt