Cisco Talos researchers recently discovered that the Glacies' IceHRM software contains a vulnerability that could allow an adversary to inject SQL. IceHRM is a human resource management tool, allowing users to create and track timesheets for employees, upload documents and manage payroll. An attacker could send the software a specially crafted HTTP request, which can open the door for SQL injection. This could allow the attacker to access information such as usernames and password hashes stored in the software's database.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Glacies to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details
Glacies IceHRM admin reports SQL injection vulnerability (TALOS-2020-1067/CVE-2020-6114)An exploitable SQL injection vulnerability exists in the admin reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Versions tested
Talos tested and confirmed that this vulnerability affects IceHRM, version 26.6.0.OS (commit bb274de1751ffb9d09482fd2538f9950a94c510a).Coverage
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.Snort Rules: 53944, 53945
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.