Programi Bilanc build 007 release 014 31.01.2020 suffers from multiple remote SQL injection vulnerabilities.
0f84f21e3beafbe18dfb7c4f53021779Programi Bilanc - Build 007 Release 014 31.01.2020 - Multiple SQL Injections
=============================================================================
Identifiers
-------------------------------------------------
CVE-2020-11717
Vendor
-------------------------------------------------
Balanc Shpk (https://bilanc.com)
Product
-------------------------------------------------
Programi Bilanc
Affected versions
-------------------------------------------------
Programi Bilanc - Build 007 Release 014 31.01.2020 and probably below
Credit
-------------------------------------------------
Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH)
Christian Pappas / Lufthansa Industry Solutions (@LHIND_DLH)
Vulnerability summary
-------------------------------------------------
Programi Bilanc - Build 007 Release 014 31.01.2020 and below suffers from multiple SQL Injection vulnerabilities due to unprepared statements .
Technical details
------------------------------------------------
When searching for products or services entering modified content an attacker can trigger Reflected Cross-Site
scriptings
Proof of concept
-------------------------------------------------
Witheld
Solution
-------------------------------------------------
Don’t use the software in its current version & contact vendor for a solution
Timeline
-------------------------------------------------
Date| Status
------------|--------------------
01–APR-2020 | Reported to vendor
30-JUN-2020 | End of 90 days Full Disclosure Time
17-DEZ-2020 | FULL disclosure