CVE-2018-8820

Name of the Vulnerable Software and Affected Versions Square 9 GlobalForms version 6.2.x

Description A Time Based SQL injection issue allows remote authenticated attackers to execute arbitrary SQL commands via the match parameter. This can potentially lead to a full server compromise through xp cmdshell. In some cases, the authentication requirement can be bypassed by using default admin credentials.

Recommendations For Square 9 GlobalForms version 6.2.x, consider disabling the match parameter as a temporary workaround until a patch is available. Restrict access to the xp cmdshell to minimize the risk of exploitation. Avoid using default admin credentials and ensure all accounts have strong, unique passwords. At the moment, there is no information about a newer version that contains a fix for this vulnerability.