Infor Storefront B2B SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Infor Storefront B2B version 1.0. This vulnerability allows attackers to manipulate database queries by injecting malicious SQL code into the 'usr_name' parameter during login requests. Exploitation of this vulnerability could lead to unauthorized extraction or modification of database information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with the application's database queries. This could result in unauthorized data access, data manipulation, or potentially executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a login request to the 'login.do' endpoint of the 'storefrontB2BWEB' application. Injected SQL code can be appended to the 'usr_name' parameter, which will be processed by the application's database, allowing for SQL injection exploitation. Alternatively, the vulnerability can be exploited through the 'cart.do' endpoint by injecting SQL code into the 'itm_id' parameter.