Jesse Meijer

Name of the Vulnerable Software and Affected Versions: SicommNet BASEC (SaaS Service) versions prior to the fixed version, which is not specified. Description: The issue is related to an SQL Injection vulnerability in the login page of SicommNet BASEC, allowing an unauthenticated remote attacker to bypass authentication and execute arbitrary SQL commands. This vulnerability has been present in the solution at least since December 14, 2021, and likely before that. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SicommNet BASEC versions from 14 Dec 2021 Description: The issue is related to insufficiently protected credentials, allowing password recovery. Passwords are stored in plain text using reversible encryption, which enables an attacker with sufficient privileges to easily extract plain text passwords. Recommendations: For versions from 14 Dec 2021, consider restricting access to password recovery features until a proper fix is implemented. As a temporary workaround, limit privileges to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SicommNet BASEC versions from 14 Dec 2021 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Reflected XSS, XSS Through HTTP Query Strings, Rendering of Arbitrary HTML, and alteration of CSS Styles. Recommendations: For versions from 14 Dec 2021, as a temporary workaround, consider restricting user input in web page generation to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.