ARP-GUARD 4.0.0-5 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) Vulnerability


While analyzing the implementation of the ARP-GUARD web interface, one SQL-Injection vulnerability has been identified, which can be exploited in order to read dump all database data, also the username and passwords for the web application. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.


The information has been provided by Pascal Keul 

The original article can be found at:



A SQL injection vulnerability in a /login/forgot1 POST request in ARP-GUARD 4.0.0-5 allows unauthenticated remote attackers to execute arbitrary SQL commands via the user_id parameter.


Vulnerable Systems:

ARP-GUARD 4.0.0-5 


CVE Information:



Disclosure Timeline:
Published Date:11/4/2019