Home / Early Warning / Security Advisories / GESIO SQL injection vulnerability

GESIO SQL injection vulnerability

Publication date: 
06/01/2020
Importance: 
5 - Crítica
Affected resources: 

GESIO ERP versión earlier 11.2.

Description: 

INCIBE has coordinated the publication of a vulnerability in the GESIO ERP software, with the internal code INCIBE-2020-225, which has been discovered by Francisco Palma, Luis Vázquez, Diego León.

CVE-2020-8967 has been assigned to this vulnerability. A CVSS v3 base score of 10  has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C/CR:H/IR:H/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H.

Solution: 

Update to version 11.2

Detail: 

GESIO ERP is vulnerable to a SQL INJECTION in "idsite" URL parameter, included within the cms_plantilla_sites.php file.
The exploitation of this vulnerability might allow a remote attacker to execute at least three types of actions:

  • Error-based attack,
  • Time-based attack,
  • Union query attack.

Due to this vulnerability, an attacker is capable of retrieving all database information.

GESIO has deployed the following actions to fix this issue:

  • Internal procedures enhancements.
  • Implementation of new anti-injection programming checks on the front-end which will be available since version 11.2.
  • Additional functions improvements on the back-end, which will be also available since version 11.2.

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

TIMELINE:

02/04/2019 – Researchers disclosure.

08/04/2020 – Researchers contact with INCIBE.

21/04/2020 – GESIO Security Team confirms the vulnerability to INCIBE and confirms that the fix version and the release software patch have been published v11.2 (Security Patch).      

01/06/2020 – The advisory is published by INCIBE.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CNA disclosure policy.

Encuesta valoración