Summary
webERP is prone to information-disclosure, SQL-injection, and cross- site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks.
An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie- based authentication credentials and launch other attacks.
webERP 4.0.5 is vulnerable
prior versions may also be affected.
Solution
Vendor updates are available. Please see the references for more information.
References
Severity
Classification
-
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
- A Really Simple Chat Multiple SQL Injection Vulnerabilities
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
- Andy's PHP Knowledgebase 'step5.php' Remote PHP Code Execution Vulnerability
- Adobe ColdFusion Components (CFC) Denial Of Service Vulnerability