After upgrading Storage Manager to the latest version 5.2, to fix a vulnerability, our 3rd party vendor identified a new high level SQL injection vulnerability with this application. This was submitted to development almost a month ago, but has yet to be addressed. This needs to be resolved since this is a high risk item, but it doesn't appear that anyone's made any progress with it.
This is the high level description that we received from our vulnerability analysis system:
This host has a web application that is vulnerable to a SQL injection authentication bypass. SQL injection authentication bypasses occur when an attacker is able to supply input in such a way that the resulting combined SQL statement executed on the web server is both valid and results in login access.