CVE-2019-17128

Name of the Vulnerable Software and Affected Versions Netreo OmniCenter versions prior to 12.1.2

Description The issue allows unauthenticated SQL Injection, specifically Boolean Based Blind SQL Injection, in the redirect parameters and parameter name of the login page through a GET request. This enables an attacker to read sensitive information from the database used by the application.

Recommendations For Netreo OmniCenter versions prior to 12.1.2, update to a version that contains a fix for this issue to prevent SQL Injection attacks. As a temporary workaround, consider restricting access to the login page to minimize the risk of exploitation. Avoid using the vulnerable redirect parameters in the login page until the issue is resolved.