SQL injection when configuring a database

## Summary: I found a SQL Injection in the form of a system install (Database configuration) ## Steps To Reproduce: - Run command: `git clone https://github.com/ImpressCMS/impresscms.git` - Stop at a menu item: `Database configuration` - In the `Database name` field, insert the following exploit: ```sql impresscms`;create database `vuln ``` {F990522} - Submit the form {F990524} - Two databases (`impresscms`, `vuln`) created successfully. POC is attached to the report ## Supporting Material/References: [PHP addslashes](https://www.php.net/manual/en/function.addslashes.php) - single quote ('), double quote ("), backslash, NUL (the NUL byte), but **Backtick is not escaped!** ## Impact Executing arbitrary code on a database