CM Soluces Informatica Auto Atendimento SQL Injection Vulnerability

A SQL injection vulnerability has been identified in CM Soluces Informatica Ltda Auto Atendimento version 1.x.x. The issue arises in the CPF and DATANASC parameters, allowing remote attackers to execute arbitrary SQL commands. This vulnerability could potentially be exploited to manipulate the application's database or execute unauthorized actions.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands in the application's database context. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'NovoUsuario' or 'EnvioSenha' endpoints of the Auto Atendimento application. Include the CPF and DATANASC parameters in the request data. The injection can be targeted by specifying SQL payloads in these parameters, taking advantage of the application's SQL query handling.