In Selesta Visual Access Manager < 4.42.2, an authenticated user can access the administrative page /common/vam_Sql.php, which allows for arbitrary SQL queries.Referenceshttps://gitlab.com/daniele_m/cve-list/-/blob/main/README.md
