CVE-2015-1036 - Vulnerability in HRIS software (HRMS product) - SQL injection (as an authenticated user)

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

A vulnerability in the HRIS software (HRMS product) leads to an SQL injection, if the user is authenticated.

Details about vulnerability

Input elements used by /WrkFlw.aspx are not neutralized or incorrectly neutralizes the input that can sent unwanted SQL commands to the downstream component.

Version vulnerable

Versions belows 4.17 are vulnerable. This vulnerability is fixed in version 4.17.


We are not aware of any fixes. The vendor was contacted the 9th January 2015 for more information.




CIRCL would like to thank the reporter.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.


  • Version 1.0 - TLP:WHITE - First version (20150629)