This vulnerability is a classic SQL injection (CWE‑89) affecting the dsgvo_contracts view. When a high‑privileged remote user sends an SQL SELECT request with special characters that are not properly neutralized, an attacker can manipulate the query to read, modify, or delete data stored in the database. The presence of the injected code can lead to a total loss of confidentiality for all data reachable through the view, potentially exposing sensitive contractual information.

The flaw exists in Helmholz’s myREX24V2 and myREX24V2.virtual products, as well as MB connect line’s mbCONNECT24 and mymbCONNECT24. All affected installations are on version 2.20.0. Users running these specific editions must verify whether the snippet is deployed.

The CVSS score of 6.9 places this issue in the medium severity range, indicating that while exploitation is possible, it generally requires a privileged account or deep knowledge of the application’s database schema. The EPSS value is not available, and the vulnerability has not entered the CISA KEV catalog, suggesting that widespread exploitation is not publicly documented yet. Attackers would likely need remote network access to the backend database interface exposed by the view and must construct a valid injection payload. Due to the lack of authentication checks on the SQL query, a bad actor who can reach the endpoint may execute the injection without additional credentials beyond database access privileges.