Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

SQL injection vulnerability in CIGESv2 system

Posted date 26/08/2024
Identificador
INCIBE-2024-0415
Importance
5 - Critical
Affected Resources

CIGESv2, versions prior to 2.15.5.

Description

INCIBE has coordinated the publication of a vulnerability of critical severity that affects the queue and appointment management system CIGESv2, versions prior to 2.15.5, which has been discovered by Ángel Heredia and Asier Barranco from Telefónica Tech.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-8161: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89.
Solution

The vulnerability has been resolved by the ATISolutions team in version 2.15.5.

Detail

CVE-2024-8161: SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information stored in the database.

References list
CIGES website
Etiquetas