Description

In webERP 4.15, the Import Bank Transactions function fails to sanitize the content of imported MT940 bank statement files, resulting in the execution of arbitrary SQL queries, aka SQL Injection.

Remediation

References

CVE-2019-7755

Related Vulnerabilities

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2010-4536)

MySQL CVE-2019-2580 Vulnerability (CVE-2019-2580)

WordPress Plugin MoodThingy Mood Rating Widget 'postID' Parameter Blind SQL Injection (0.8.7)

Drupal Core 9.2.x Directory Traversal (9.2.0 - 9.2.1)

MySQL CVE-2015-4737 Vulnerability (CVE-2015-4737)

Severity

High

Classification

CVE-2019-7755 CWE-138 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities