Description

A SQL Injection issue was discovered in webERP 4.15. Payments.php accepts payment data in base64 format. After this is decoded, it is deserialized. Then, this deserialized data goes directly into a SQL query, with no sanitizing checks.

Remediation

References

CVE-2019-13292

Related Vulnerabilities

WordPress Plugin Twenty20 Image Before-After Malicious Code (1.6.3)

Atlassian Jira Incorrect Authorization Vulnerability (CVE-2019-3401)

WordPress 6.3.x Multiple Vulnerabilities (6.3 - 6.3.2)

WordPress Plugin MailPoet Newsletters (Previous) Multiple Unspecified Vulnerabilities (2.7.1)

Oracle Database Server CVE-2006-3703 Vulnerability (CVE-2006-3703)

Severity

Critical

Classification

CVE-2019-13292 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities