GESIO SQL injection vulnerability
GESIO ERP versión earlier 11.2.
INCIBE has coordinated the publication of a vulnerability in the GESIO ERP software, with the internal code INCIBE-2020-225, which has been discovered by Francisco Palma, Luis Vázquez, Diego León.
CVE-2020-8967 has been assigned to this vulnerability. A CVSS v3 base score of 10 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C/CR:H/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H.
Update to version 11.2
GESIO ERP is vulnerable to a SQL INJECTION in "idsite" URL parameter, included within the cms_plantilla_sites.php file.
The exploitation of this vulnerability might allow a remote attacker to execute at least three types of actions:
- Error-based attack,
- Time-based attack,
- Union query attack.
Due to this vulnerability, an attacker is capable of retrieving all database information.
GESIO has deployed the following actions to fix this issue:
- Internal procedures enhancements.
- Implementation of new anti-injection programming checks on the front-end which will be available since version 11.2.
- Additional functions improvements on the back-end, which will be also available since version 11.2.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
TIMELINE:
02/04/2019 – Researchers disclosure.
08/04/2020 – Researchers contact with INCIBE.
21/04/2020 – GESIO Security Team confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published v11.2 (Security Patch).
01/06/2020 – The advisory is published by INCIBE.
If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.
