DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL commands via unspecified vectors. This vulnerability affects the `/api/trackedEntityInstances` and `/api/trackedEntityInstances/query` API endpoints in all DHIS2 versions 2.34, 2.35, and 2.36. It also affects versions 2.32 and 2.33 which have reached _end of support_ - exceptional security updates have been added to the latest *end of support* builds for these versions. Versions 2.31 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without firs
Add your gear to cvedb and we'll alert you only when dhis2 ships something exploited.
Check my exposure →This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.