Impact
Guardian language-system allows an authenticated attacker to supply an id value through the id GET parameter that is concatenated directly into a SQL query without sanitization or use of prepared statements. This flaw is a classic instance of SQL injection (CWE-89) and permits injection of arbitrary SQL code into the query. When exploited, the attacker can trigger error messages and extract database contents, leading to a full breach of confidentiality of operational data. The CVSS score of 9.3 reflects the severity of this risk.
Affected Systems
The vulnerable component is the Guardian language-system, specifically job_info_get.php. No version numbers are listed in the advisory, so all installations of this product are potentially affected until the issue is addressed.
Risk and Exploitability
The vulnerability is documented as requiring only a valid authenticated session to reach the affected endpoint. Attackers must log in with any user account, then supply a crafted id value to exploit the SQL injection. The exploit checksum is not publicly listed in the CISA KEV catalog, and there is no EPSS data available. Consequently, the default risk assessment relies on the high CVSS score, with the threat level deemed significant for networks that expose this endpoint externally or host sensitive data. The lack of an existing public exploit does not diminish the potential impact of a successful injection.
OpenCVE Enrichment