CVE-2019-13292

Name of the Vulnerable Software and Affected Versions webERP version 4.15

Description A SQL Injection issue was discovered. The issue concerns the handling of payment data in the Payments.php file, which accepts data in base64 format. This data is decoded and then deserialized. The deserialized data is directly inserted into a SQL query without any sanitizing checks.

Recommendations For webERP version 4.15, consider implementing sanitizing checks on the deserialized data before it is inserted into SQL queries to prevent SQL injection attacks. As a temporary workaround, restrict access to the Payments.php file to minimize the risk of exploitation.