Polaris FT Intellect Core Banking SQL Injection Vulnerability in GroupType Parameter

A SQL injection vulnerability has been identified in Polaris FT Intellect Core Banking version 9.5. The issue arises in the Interllect Core Search, where input from the groupType parameter in the SCGController endpoint is improperly handled before being incorporated into SQL queries. This flaw allows for SQL injection attacks within an authenticated session.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, send a request to the SCGController endpoint with a crafted groupType parameter that includes SQL injection payloads. The injected SQL code will be executed by the database, allowing the attacker to manipulate database queries. For example, injecting a payload that uses SQL functions to delay the response can demonstrate the vulnerability.