PT-2018-11509 · Softexpert · Softexpert Excellence Suite

Published

2018-07-09

Updated

2018-09-05

CVE-2018-12977

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SoftExpert Excellence Suite version 2.0

Description A SQL injection issue allows remote authenticated users to perform SQL heuristics by pulling information from the database. This is achieved by manipulating the cddocument parameter in the "Downloading Electronic Documents" section.

Recommendations For SoftExpert Excellence Suite version 2.0, avoid using the cddocument parameter in the "Downloading Electronic Documents" section until a fix is available. As a temporary workaround, consider restricting access to the "Downloading Electronic Documents" section to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2018-12977

Affected Products

Softexpert Excellence Suite

PT-2018-11509 · Softexpert · Softexpert Excellence Suite

CVE-2018-12977

Weakness Enumeration

Related Identifiers

Affected Products

References · 3