St. Joe ERP System SQL Injection Vulnerability
Vulnerability
A SQL injection vulnerability has been identified in the St. Joe ERP system. This vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands by sending crafted HTTP POST requests to the login endpoint. The application does not properly sanitize user input before including it in SQL queries, which enables direct manipulation of the backend database. Exploiting this vulnerability could lead to unauthorized data access, modification of records, or limited disruption of service.
Impact
Exploitation of this vulnerability allows for arbitrary SQL command execution, potentially leading to unauthorized data access, data modification, or disruption of service.
Reproduction
To reproduce this vulnerability, send a POST request to the '/erp/dwr/call/plaincall/SingleRowQueryConvertor.queryForString.dwr' endpoint. Include the 'c0-param0' parameter with a crafted SQL payload, such as a SQL injection payload that exploits the application's SQL query handling. The request must be made without authentication, as the vulnerability allows for unauthenticated access.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.