PT-2020-16562 · Aptean · Aptean Product Configurator

Alexander Drabek

Published

2020-10-16

Updated

2020-10-26

CVE-2020-26944

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Aptean Product Configurator version 4.61.0000

Description An issue affects the main login page, specifically the nameTxt parameter, allowing for a time-based SQL injection. This can be exploited directly and remotely.

Recommendations For version 4.61.0000, avoid using the nameTxt parameter in the login page until the issue is resolved. As a temporary workaround, consider restricting access to the login page to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-26944

Affected Products

Aptean Product Configurator

PT-2020-16562 · Aptean · Aptean Product Configurator

CVE-2020-26944

Weakness Enumeration

Related Identifiers

Affected Products

References · 4