FMI Contractor Web and BEIMS Contractor Web SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the BEIMS Contractor Web application, specifically in version 5.7.139, on the /BEIMSWeb/contractor.asp endpoint. This legacy product is no longer maintained or patched by the vendor. The vulnerability allows unauthorized users to execute arbitrary SQL commands and retrieve sensitive database information through unsanitized parameter inputs. Successful exploitation requires the contractor.asp endpoint to be accessible via the internet. Additionally, this vulnerability is present in the Contractor Web application, which shares the same database as the Pulse thick-client application and is also not recommended for internet or cloud deployments.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, potentially leading to unauthorized data access, data manipulation, and disruption of database availability.