Advantive VeraCore SQL Injection Vulnerability Allowing Arbitrary SQL Command Execution

A SQL injection vulnerability has been identified in the Advantive VeraCore application, specifically in the timeoutWarning.asp file, in versions through 2025.1.0. This vulnerability allows remote attackers to execute arbitrary SQL commands by manipulating the PmSess1 parameter. The issue arises because the application concatenates user input with static strings to form SQL queries, creating an opportunity for injection.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the VeraCore application’s timeoutWarning.asp endpoint. The PmSess1 parameter must be included in the request, with the value crafted to inject SQL commands into the application's database query. This can be done by exploiting the application's SQL query construction, which concatenates user input with static strings to create the final SQL command.

Remediation

Users are advised to update to VeraCore version 2025.1.1 or later, where this vulnerability has been addressed.