CVE-2021-38145: 
NixOS vulnerability analysis and mitigation

An SQL Injection vulnerability was discovered in Form Tools through version 3.0.20. The vulnerability exists when a low-privileged user (client) attempts to export a form with data via the exportgroupid field. The vulnerability can be exploited through manipulation of modules/exportmanager/export.php with parameters like exportgroupid=1&exportgroup1results=all&exporttypeid=1 (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). The issue specifically affects the export functionality in the exportmanager module when processing the exportgroup_id parameter (NVD).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized access, modification, or deletion of data stored in the Form Tools database (NVD).

Users should upgrade to a version newer than Form Tools 3.0.20. The vulnerability has been addressed in subsequent releases (Form Tools Core).