Benner ModernaNet SQL Injection Vulnerability
Vulnerability
A critical SQL injection vulnerability has been identified in Benner ModernaNet versions prior to 1.1.0. The issue resides in the 'convenio' parameter of the '/AGE0000700/GetHorariosDoDia' endpoint. This vulnerability allows for blind error-based SQL injection, where an attacker can infer database information by manipulating the parameter and analyzing the application's response.
Impact
Exploitation of this vulnerability allows for blind error-based SQL injection, enabling an attacker to infer database information, which could lead to further exploitation.
Reproduction
The vulnerability can be reproduced by sending a request to the '/AGE0000700/GetHorariosDoDia' endpoint with the 'convenio' parameter set to a value that triggers the SQL injection. The injection can be confirmed by using a payload that exploits the SQL injection vulnerability, such as one that causes a database error or modifies the SQL query in a way that reveals information.
Remediation
Users are advised to upgrade to Benner ModernaNet version 1.1.1 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.