Description

In webERP 4.15, the Import Bank Transactions function fails to sanitize the content of imported MT940 bank statement files, resulting in the execution of arbitrary SQL queries, aka SQL Injection.

Remediation

References

CVE-2019-7755

Related Vulnerabilities

PHP Improper Input Validation Vulnerability (CVE-2015-4604)

Apache HTTP Server NULL Pointer Dereference Vulnerability (CVE-2014-3581)

phpMyFAQ Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-15734)

MySQL CVE-2014-2435 Vulnerability (CVE-2014-2435)

WordPress Plugin JobBoardWP-Job Board Listings and Submissions Cross-Site Scripting (1.0.7)

Severity

High

Classification

CVE-2019-7755 CWE-138 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities