Primion-Digitek Secure 8 SQL injection vulnerability

Posted date 18/06/2021
5 - Critical
Affected Resources

Secure 8 (Evalos), version


INCIBE has coordinated the publication of a vulnerability in Secure 8 system, with the internal code INCIBE-2021-0243, which has been discovered by Ander Martínez of Titanium Industrial Security.

CVE-2021-3604 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.


This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5.


Primion-Digitek Secure 8 does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection.

An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.

This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5.

CWE 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').


14/12/2020 – Researchers disclosure.
04/02/2021 – Researchers contact with INCIBE.
05/05/2021 – Primion-Digitek confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
18/06/20201 – The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración