Vulnerability-Lookup

CNVD-2020-41081

Vulnerability from cnvd - Published: 2020-07-20

Title

GESTI?NINTEGRAL ONLINE GESIO ERP SQL注入漏洞

Description

GESTI?NINTEGRAL ONLINE GESIO ERP是西班牙GESTI?NINTEGRAL ONLINE公司的一套在线ERP（企业资源计划）管理软件。该软件支持账单管理、库存管理以及业务管理等功能。 GESTI?NINTEGRAL ONLINE GESIO ERP 11.2之前版本中的php文件存在SQL注入漏洞。攻击者可利用该漏洞检索数据库信息。

Severity

高

Patch Name

GESTI?NINTEGRAL ONLINE GESIO ERP SQL注入漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://update.gesio.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-8967

Impacted products

Name
GESTI?NINTEGRAL ONLINE GESIO ERP <11.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-8967"
    }
  },
  "description": "GESTI?NINTEGRAL ONLINE GESIO ERP\u662f\u897f\u73ed\u7259GESTI?NINTEGRAL ONLINE\u516c\u53f8\u7684\u4e00\u5957\u5728\u7ebfERP\uff08\u4f01\u4e1a\u8d44\u6e90\u8ba1\u5212\uff09\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u8d26\u5355\u7ba1\u7406\u3001\u5e93\u5b58\u7ba1\u7406\u4ee5\u53ca\u4e1a\u52a1\u7ba1\u7406\u7b49\u529f\u80fd\u3002\n\nGESTI?NINTEGRAL ONLINE GESIO ERP 11.2\u4e4b\u524d\u7248\u672c\u4e2d\u7684php\u6587\u4ef6\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u68c0\u7d22\u6570\u636e\u5e93\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://update.gesio.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-41081",
  "openTime": "2020-07-20",
  "patchDescription": "GESTI?NINTEGRAL ONLINE GESIO ERP\u662f\u897f\u73ed\u7259GESTI?NINTEGRAL ONLINE\u516c\u53f8\u7684\u4e00\u5957\u5728\u7ebfERP\uff08\u4f01\u4e1a\u8d44\u6e90\u8ba1\u5212\uff09\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u8d26\u5355\u7ba1\u7406\u3001\u5e93\u5b58\u7ba1\u7406\u4ee5\u53ca\u4e1a\u52a1\u7ba1\u7406\u7b49\u529f\u80fd\u3002\r\n\r\nGESTI?NINTEGRAL ONLINE GESIO ERP 11.2\u4e4b\u524d\u7248\u672c\u4e2d\u7684php\u6587\u4ef6\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u68c0\u7d22\u6570\u636e\u5e93\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "GESTI?NINTEGRAL ONLINE GESIO ERP SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "GESTI?NINTEGRAL ONLINE GESIO ERP \u003c11.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-8967",
  "serverity": "\u9ad8",
  "submitTime": "2020-06-02",
  "title": "GESTI?NINTEGRAL ONLINE GESIO ERP SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2020-8967 (GCVE-0-2020-8967)

Vulnerability from cvelistv5 – Published: 2020-06-01 13:05 – Updated: 2024-09-16 16:42

Title

GESIO SQL injection vulnerability

Summary

There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php files of GESIO ERP. GESIO ERP all versions prior to 11.2 allows malicious users to retrieve all database information.

Severity

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

Assigner

INCIBE

References

1 reference

URL	Tags
https://www.incibe-cert.es/en/early-warning/secur…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Gesio (GESTIÓN INTEGRAL ONLINE, SL)	GESIO ERP	Affected: 11.2 , < 11.2 (custom)

Date Public

2020-06-01 00:00

Credits

Francisco Palma, Luis Vázquez and Diego León.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:19:18.207Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/gesio-sql-injection-vulnerability"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "GESIO ERP",
          "vendor": "Gesio (GESTI\u00d3N INTEGRAL ONLINE, SL)",
          "versions": [
            {
              "lessThan": "11.2",
              "status": "affected",
              "version": "11.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Francisco Palma, Luis V\u00e1zquez and Diego Le\u00f3n."
        }
      ],
      "datePublic": "2020-06-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php files of GESIO ERP. GESIO ERP all versions prior to 11.2 allows malicious users to retrieve all database information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-01T13:05:29.000Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/gesio-sql-injection-vulnerability"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to version 11.2"
        }
      ],
      "source": {
        "advisory": "INCIBE-2020-0225",
        "discovery": "EXTERNAL"
      },
      "title": "GESIO SQL injection vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-coordination@incibe.es",
          "DATE_PUBLIC": "2020-06-01T09:00:00.000Z",
          "ID": "CVE-2020-8967",
          "STATE": "PUBLIC",
          "TITLE": "GESIO SQL injection vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "GESIO ERP",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "11.2",
                            "version_value": "11.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Gesio (GESTI\u00d3N INTEGRAL ONLINE, SL)"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Francisco Palma, Luis V\u00e1zquez and Diego Le\u00f3n."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php files of GESIO ERP. GESIO ERP all versions prior to 11.2 allows malicious users to retrieve all database information."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.incibe-cert.es/en/early-warning/security-advisories/gesio-sql-injection-vulnerability",
              "refsource": "CONFIRM",
              "url": "https://www.incibe-cert.es/en/early-warning/security-advisories/gesio-sql-injection-vulnerability"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to version 11.2"
          }
        ],
        "source": {
          "advisory": "INCIBE-2020-0225",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2020-8967",
    "datePublished": "2020-06-01T13:05:29.043Z",
    "dateReserved": "2020-02-13T00:00:00.000Z",
    "dateUpdated": "2024-09-16T16:42:51.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-41081

CVE-2020-8967 (GCVE-0-2020-8967)

Tags

Sightings

Nomenclature