** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitized when the category reorder API processes the stored value. This Second-Order SQL Injection (Time-Based Blind) allows an authenticated attacker to exfiltrate sensitive data including password hashes of other users. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued.
| Vendor | Product | Versions |
|---|---|---|
| mattermost | focalboard | go/github.com/mattermost/focalboard: <= 7.10.6 |
Updated severity to CRITICAL and marked the vulnerability as actively exploited.
Initial creation
