Primion-Digitek Secure 8 SQL injection vulnerability
Secure 8 (Evalos), version 1.0.1.55.
INCIBE has coordinated the publication of a vulnerability in Secure 8 system, with the internal code INCIBE-2021-0243, which has been discovered by Ander Martínez of Titanium Industrial Security.
CVE-2021-3604 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5.
Primion-Digitek Secure 8 does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection.
An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5.
CWE 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').
Timeline:
14/12/2020 – Researchers disclosure.
04/02/2021 – Researchers contact with INCIBE.
05/05/2021 – Primion-Digitek confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
18/06/20201 – The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.
