SQL injection vulnerability in CIGESv2 system

Posted date 26/08/2024
Importance
5 - Critical
Affected Resources

CIGESv2, versions prior to 2.15.5.

Description

INCIBE has coordinated the publication of a vulnerability of critical severity that affects the queue and appointment management system CIGESv2, versions prior to 2.15.5, which has been discovered by Ángel Heredia and Asier Barranco from Telefónica Tech.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2024-8161: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89.
Solution

The vulnerability has been resolved by the ATISolutions team in version 2.15.5.

Detail

CVE-2024-8161: SQL injection vulnerability in ATISolutions CIGES affecting versions lower than 2.15.5. This vulnerability allows a remote attacker to send a specially crafted SQL query to the /modules/ajaxServiciosCentro.php point in the idCentro parameter and retrieve all the information stored in the database.

References list