The vulnerability exists due to insufficient validation of Macro Expressions. Successful exploitation of this vulnerability requires write access to a field or editable region where a Macro Expression is accepted. Permission to edit SQL code is not required.

A remote user can manipulate SQL queries and execute arbitrary SQL commands within application's database.

The following proof of concept demonstrates the vulnerability:

{% GlobalObjects.Users.Where("1=0) SELECT 1 FROM AllData\r\nUPDATE CMS_User SET UserIsGlobalAdministrator=1 WHERE UserName='test'\r\nCOMMIT--") %}