This vulnerability involves improper neutralization of special elements in an SQL UPDATE command in the UpdateParam function of the view.html.php file in mbCONNECT24. An unauthenticated attacker with high privileges can exploit this SQL Injection flaw to read the entire database and alter data in a non-critical table. The issue results in significant confidentiality compromise and some integrity loss. The vulnerability is identified as CWE-89 and has a CVSS 4.0 base score of 7, indicating high severity. There is currently no vendor advisory or patch available, and the product is not a cloud service.

Exploitation allows a remote attacker without authentication to perform SQL Injection attacks, leading to full disclosure of database contents and unauthorized modification of certain data. This results in a total loss of confidentiality and partial loss of integrity of the affected system's data. The vulnerability does not affect critical data integrity but still poses a significant security risk.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected functionality and monitor for suspicious activity related to SQL Injection attempts. Avoid exposing the vulnerable interface to untrusted networks if possible.