Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

SQL Injection vulnerability on SCAN_VISIO eDocument Suite Web Viewer from Abast

Posted date 21/03/2024
Identificador
INCIBE-2024-0154
Importance
5 - Critical
Affected Resources

SCAN_VISIO eDocument Suite Web Viewer, version 3.28.1 and below SCAN_VISIO eDocument Suite Web Viewer, version 3.28.1 and below.

Description

INCIBE has coordinated the publication of one vulnerability that affects SCAN_VISIO eDocument Suite Web Viewer version 3.28.1 and below, which has been discovered by Alberto Gasulla with special thanks to Ismael Pacheco Torrecilla.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2024-29732: CVSS v3.1: 9,8 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. | CWE-89.
Solution

Vulnerability has been fixed in later versions. 

Detail

CVE-2024-29732: A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via "user" parameter.

References list
SCAN_VISIO eDocument Suite
Etiquetas