2025-10-21 13:34:32
CERT-PL
PUBLISHED
SQL injection vulnerability in the fields of warehouse document filtering form in SIMPLE.ERP software allows logged-in user a malicious query injection. Potential exploitation is limited by the 20-character limit in form fields. Identified use case allows to delete tables with a name of maximum 6 characters. We werent able to identify a way to exfiltrate data within query character limit. This issue affects SIMPLE.ERP in versions before 6.30@a04.3.