Primion-Digitek Secure 8 SQL injection vulnerability

Posted date 18/06/2021
Importance
5 - Critical
Affected Resources

Secure 8 (Evalos), version 1.0.1.55.

Description

INCIBE has coordinated the publication of a vulnerability in Secure 8 system, with the internal code INCIBE-2021-0243, which has been discovered by Ander Martínez of Titanium Industrial Security.

CVE-2021-3604 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Solution

This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5.

Detail

Primion-Digitek Secure 8 does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection.

An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.

This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5.

CWE 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

Timeline:

14/12/2020 – Researchers disclosure.
04/02/2021 – Researchers contact with INCIBE.
05/05/2021 – Primion-Digitek confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
18/06/20201 – The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración

References list
Ficha de producto
Ficha técnica
Vulnerabilidades 0 day en primion
Etiquetas