Prog0 e l { c r 1rami Bilanc - Build 007 Rel3 Y P v ;ease 014 31.01.2020 - Multiple SQL Injections
==========v G 1 s===================================================================
Identifiers
----------------C S : Y I ; % k $---------------------------------
CVE-2020-11717
Vendor
----------------------------? V m s +---------------------
Balanc Shpk (https://bilan- p B }c.com)
Product
-----------------------------n D 7 l ~ 6 g 9-------------------j E ! _-
Programi Bilanc
Affected versions
-------------------------------------------------
Programi Bilanc - Build 007 Release 014 31.01.2020 and probably below
Credit
-----S + R $ * (--------------------------------------------
Georg Ph E Heise (@gphK [ = B w zeheise) / Lufthav / y @ Q : tnsa Industry Solutionsr A T (@LHIND_DLH)
Chr~ 1istian Pappas / Lufthansa Industry Solutions (@LHIND_DLH)
Vulnerability summary
-------------------------------------------------
Pz Q #rogrami Bilanc - Build 007 Release 014 31.01.2020 and below suffers from multiple SQL IG D i ~ @ b injection vulnerabilities due to unprepared sti p ^ F r I 8 0 |atements .
Techi p ; x #nical details
-------i u - 6 w y L I a--------------------------------------a I : u = } }---
When searching forp X $ A v products or services entering mH Y &odifz 7 R 8ied content an attacker can trigger Reflected Y %d Cross-Site
scriptings
Proof of concept
-------Z * R 2------------------------------------------s J 6 * w
Witheld
Solution
------------------------/ $ g Q A----------------[ T f R a M X |---------
Don’t use the software in its cq . f Surrent version & contact vendor for a1 y - L c c ) solution
TE o # Kimeline
------------------------------------H 2 4 ^ ~-------------
Date Status
--------------------------------
01–APR-2020 Reported to vendor
30-JUN-2020 End of 90 days Full Disclosure Time
17-DEZ-2020 FULL disclosure
发表评论