An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameters date_from, date_to, and id_product allows a remote attacker to retrieve the contents of an entire database.
View the template here CVE-2023-36284.yaml
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36284