Description

A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.

Remediation

References

CVE-2019-13292

Related Vulnerabilities

WebLogic CVE-2020-2883 Vulnerability (CVE-2020-2883)

Drupal Core 9.2.x Cross-Site Request Forgery (9.2.0 - 9.2.5)

Ruby on Rails Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2011-0448)

MediaWiki Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2017-8809)

Oracle Application Server CVE-2009-0994 Vulnerability (CVE-2009-0994)

Severity

Critical

Classification

CVE-2019-13292 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities