SQL injection vulnerability in SEUR plugin
SEUR plugin, versions prior to 2.5.11.
INCIBE has coordinated the publication of 1 vulnerability of critical severity that affects the plugin developed by SEUR, versions 2.5.11 and earlier, which has been discovered by researchers Ángel Heredia Pérez and Daniel Collado Tomé, from Telefónica Tech.
This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:
- CVE-2024-9201: 9.4 | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | CWE-89
This vulnerability has already been fixed by SEUR in version 2.5.11, published on 16/04/2024. The latest version available is 2.5.14. SEUR recommends its customers to connect to its platform to download and update to the latest version of the module.
CVE-2024-9201: the SEUR plugin, in its versions prior to 2.5.11, is vulnerable to time-based SQL injection through the use of the ‘id_order’ parameter of the ‘/modules/seur/ajax/saveCodFee.php’ endpoint.
