Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
A vulnerability in the HRIS software (HRMS product) leads to an SQL injection, if the user is authenticated.
Details about vulnerability
Input elements used by /WrkFlw.aspx are not neutralized or incorrectly neutralizes the input that can sent unwanted SQL commands to the downstream component.
Versions belows 4.17 are vulnerable. This vulnerability is fixed in version 4.17.
We are not aware of any fixes. The vendor was contacted the 9th January 2015 for more information.
CIRCL would like to thank the reporter.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.0 - TLP:WHITE - First version (20150629)