CVE-2020-12870

An attacker can submit a crafted username value containing SQL metacharacters through the signup page's username field. The application does not sanitize or parameterize this input before incorporating it into a database query, enabling the attacker to execute arbitrary SQL commands [ref_id=1]. The attack requires only network access to the signup page and no prior authentication. The payload is delivered via a standard HTTP POST request to the signup endpoint.

The advisory does not specify the exact file or function containing the vulnerable code. The vulnerability exists in the signup page of PacsOne Server 6.8.4, where the username parameter is processed without sanitization [ref_id=1].

The advisory does not include a patch or specific remediation guidance for this CVE. The vendor's download page lists version history entries that mention bug fixes and security updates in later releases (e.g., version 7.3.3 addresses CVE-2020-13249), but no explicit fix for the signup-page SQL injection is documented [ref_id=1]. Users should apply input validation and parameterized queries for the username field, or upgrade to a version where this issue has been addressed.