Platform
php
Component
gesio-erp
Fixed in
11.2
CVE-2020-8967 is a critical SQL Injection vulnerability affecting GESIO ERP versions up to and including 11.2. This flaw allows unauthorized users to inject malicious SQL code, potentially leading to complete database compromise. The vulnerability stems from improper neutralization of special elements in SQL commands within php files. A patch is available in version 11.2.
The impact of CVE-2020-8967 is severe. Successful exploitation allows an attacker to bypass authentication and directly query the database, potentially extracting sensitive information such as user credentials, financial data, and proprietary business information. Depending on the database structure and permissions, an attacker could also modify or delete data, leading to data loss and operational disruption. The ability to retrieve all database information represents a significant data breach risk, potentially exposing the entire ERP system to compromise. This vulnerability shares characteristics with other SQL injection attacks, where attackers leverage database queries to gain unauthorized access and control.
CVE-2020-8967 was publicly disclosed on June 1, 2020. There is no indication of active exploitation campaigns at this time, but the vulnerability's critical severity and ease of exploitation make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the risk of exploitation.
Exploit Status
EPSS
0.26% (50% percentile)
CVSS Vector
The primary mitigation for CVE-2020-8967 is to immediately upgrade GESIO ERP to version 11.2 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries within the application code to sanitize user inputs before they are used in SQL queries. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can also provide a layer of protection. Review and restrict database user permissions to limit the potential damage from a successful attack. After upgrade, confirm the vulnerability is resolved by attempting a SQL injection attack on the affected endpoints.
Update GESIO ERP to version 11.2 or later. This version corrects the SQL injection vulnerability that allows malicious users to access sensitive database information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-8967 is a critical SQL Injection vulnerability in GESIO ERP versions up to 11.2, allowing attackers to retrieve all database information.
If you are using GESIO ERP version 11.2 or earlier, you are vulnerable to this SQL Injection attack.
Upgrade GESIO ERP to version 11.2 or later to resolve the vulnerability. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While there's no confirmed active exploitation, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the GESIO ERP website or security advisories for the official announcement and details regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.