Multiple vulnerabilities in IDM Sistemas QSige

Posted date 14/09/2023
Identificador

INCIBE-2023-0392

Importance
4 - High
Affected Resources

QSige, 3.0.0.0 version.

Description

INCIBE has coordinated the publication of 7 vulnerabilities affecting IDM Sistemas QSige, an intelligent waiting management system, which have been discovered by Pablo Arias Rodríguez, Jorge Alberto Palma Reyes and Rubén Barberá Pérez, researchers from CSIRT-CV Red Team. Special thanks to all CSIRT-CV team.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector string and the CWE vulnerability type of each vulnerability:

  • CVE-2023-4097: CVSS v3.1: 8,8 | CVSS: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-434.
  • CVE-2023-4098: CVSS v3.1: 8,8 | CVSS: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-89.
  • CVE-2023-4099: CVSS v3.1: 7,6 | CVSS: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L | CWE-639.
  • CVE-2023-4100: CVSS v3.1: 6,5 | CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L | CWE-79.
  • CVE-2023-4101: CVSS v3.1: 8,8 | CVSS: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-639.
  • CVE-2023-4102: CVSS v3.1: 8,8 | CVSS: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-89.
  • CVE-2023-4103: CVSS v3.1: 8,8 | CVSS: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-89.
Solution

The reported vulnerabilities are fixed in the latest version of the affected product.

Detail
  • CVE-2023-4097: the file upload functionality is not implemented correctly and allows uploading of any type of file. As a prerequisite, it is necessary for the attacker to log into the application with a valid username.
  • CVE-2023-4098: remote SQLi vulnerability. It has been identified that the web application does not correctly filter input parameters, allowing SQL injections, DoS or information disclosure. As a prerequisite, it is necessary to log into the application.
  • CVE-2023-4099: the QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.
  • CVE-2023-4100: allows an attacker to perform XSS attacks stored on certain resources. Exploiting this vulnerability can lead to a DoS condition, among other actions.
  • CVE-2023-4101: the QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application.
  • CVE-2023-4102: QSige utilities are affected by a remote SQLi vulnerability. It has been identified that the web application does not correctly filter input parameters, allowing SQL injections, DoS or information disclosure. As a prerequisite, it is necessary to log into the application.
  • CVE-2023-4103: QSige statistics are affected by a remote SQLi vulnerability. It has been identified that the web application does not correctly filter input parameters, allowing SQL injections, DoS or information disclosure. As a prerequisite, it is necessary to log into the application.
References list