PT-2021-17136 · Talariax · Talariax Sendquick Alert Plus Server Admin

Edmund Ong

Published

2021-11-12

Updated

2021-11-17

CVE-2021-26795

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TalariaX sendQuick Alert Plus Server Admin version 4.3 before 8HF11

Description A SQL Injection issue in the /appliance/shiftmgn.php endpoint allows attackers to obtain sensitive information via a Roster Time to Roster Management.

Recommendations For TalariaX sendQuick Alert Plus Server Admin version 4.3 before 8HF11, update to a version that includes the fix for this issue, specifically 8HF11 or later. As a temporary workaround, consider restricting access to the /appliance/shiftmgn.php endpoint until a patch is available.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-26795

Affected Products

Talariax Sendquick Alert Plus Server Admin

PT-2021-17136 · Talariax · Talariax Sendquick Alert Plus Server Admin

CVE-2021-26795

Weakness Enumeration

Related Identifiers

Affected Products

References · 7