Home / Early Warning / Ics Advisories / Primion-Digitek Secure 8 SQL injection vulnerability

Primion-Digitek Secure 8 SQL injection vulnerability

Publication date: 
06/18/2021
Importance: 
5 - Crítica
Affected resources: 

Secure 8 (Evalos), version 1.0.1.55.

Description: 

INCIBE has coordinated the publication of a vulnerability in Secure 8 system, with the internal code INCIBE-2021-0243, which has been discovered by Ander Martínez of Titanium Industrial Security.

CVE-2021-3604 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Solution: 

This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5.

Detail: 

Primion-Digitek Secure 8 does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection.

An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.

This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5.

CWE 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

Timeline:

14/12/2020 – Researchers disclosure.
04/02/2021 – Researchers contact with INCIBE.
05/05/2021 – Primion-Digitek confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published (Security Patch).
18/06/20201 – The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE Assignment and publication section.

Encuesta valoración