SQL injection vulnerability in CIGESv2 system
CIGESv2, versions prior to 2.15.5.
INCIBE has coordinated the publication of a vulnerability of critical severity that affects the queue and appointment management system CIGESv2, versions prior to 2.15.5, which has been discovered by Ángel Heredia and Asier Barranco from Telefónica Tech.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2024-8161: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89.
The vulnerability has been resolved by the ATISolutions team in version 2.15.5.
CVE-2024-8161: SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information stored in the database.
