Yuri Kramarz of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos researchers recently discovered that the Glacies' IceHRM software contains a vulnerability that could allow an adversary to inject SQL. IceHRM is a human resource management tool, allowing
users to create and track timesheets for employees, upload documents and manage payroll. An attacker could send the software a specially crafted HTTP request, which can open the door for SQL injection. This could allow the attacker to access information such as usernames and password hashes stored in the software's database.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Glacies to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details Glacies IceHRM admin reports SQL injection vulnerability (TALOS-2020-1067/CVE-2020-6114)
An exploitable SQL injection vulnerability exists in the admin reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. Read the complete vulnerability advisory here for additional information.
Versions tested Talos tested and confirmed that this vulnerability affects IceHRM, version 26.6.0.OS (commit bb274de1751ffb9d09482fd2538f9950a94c510a).
Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 53944, 53945