Siemens Opcenter Quality SmartClient Modules SQL Injection Vulnerability

A vulnerability exists in Siemens Opcenter Quality SmartClient modules, specifically in Opcenter QL Home (SC), SOA Audit, and SOA Cockpit, all versions from 13.2 up to 2506. The issue arises because the application inadvertently reveals SQL statements in error messages when reports are generated using the Cockpit tool. This could potentially be exploited to conduct SQL injection attacks.

Impact

Exploitation of this vulnerability could lead to SQL injection, allowing attackers to manipulate database queries and potentially access or modify sensitive information.

Remediation

Users are advised to update to the latest versions of the affected SmartClient modules. Additionally, it is recommended to create custom reporting accounts that access data through views, rather than original table structures. Hardening instructions for Internet Information Services (IIS) should also be followed, including limiting the information available to end-users based on a need-to-know basis, preventing scans of database structures and configurations, and using database tools to manage reporting loads on production systems.