This vulnerability arises from improper neutralization of special elements in an SQL INSERT command within the saveDashboardLayout function of dash_layout.php in mbCONNECT24. An attacker with low privileges can exploit this unauthenticated SQL Injection to read the entire database contents and insert data into a non-critical table. The CVSS 4.0 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, no user interaction, and high confidentiality impact but limited integrity impact. No official patch or remediation level has been published yet, and no known exploits are reported in the wild.

Successful exploitation results in total loss of confidentiality of the database and some loss of integrity due to unauthorized data insertion in a non-critical table. This can expose sensitive information stored in the database and potentially affect the reliability of some data, although critical data integrity is not fully compromised.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected functionality and monitor for suspicious activity related to SQL commands. Avoid exposing the vulnerable interface to untrusted networks. Follow vendor updates closely for an official patch or mitigation instructions.