PT-2022-11441 · Unknown · Selectsurvey.Net

Garrett Foster

Published

2022-01-28

Updated

2022-02-02

CVE-2021-41609

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SelectSurvey.NET versions prior to 5.052.000

Description The issue allows a remote, unauthenticated attacker to retrieve data from the application's backend database. This is achieved through SQL injection in the ID parameter of the "UploadedImageDisplay.aspx" endpoint. The attack can be performed using boolean-based blind and UNION injection techniques.

Recommendations For versions prior to 5.052.000, update to version 5.052.000 or later to resolve the issue. As a temporary workaround, consider restricting access to the "UploadedImageDisplay.aspx" endpoint to minimize the risk of exploitation. Avoid using the ID parameter in the affected endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-41609

Affected Products

Selectsurvey.Net

PT-2022-11441 · Unknown · Selectsurvey.Net

CVE-2021-41609

Weakness Enumeration

Related Identifiers

Affected Products

References · 4