CM Soluces Informatica Auto Atendimento SQL Injection Vulnerability

A SQL injection vulnerability has been identified in CM Soluces Informatica Ltda Auto Atendimento version 1.x.x. The issue arises in the DATANASC parameter, allowing remote attackers to execute arbitrary SQL commands. This vulnerability can be exploited by sending crafted requests that include malicious SQL payloads, potentially leading to unauthorized data access or manipulation.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands on the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing arbitrary code, depending on the application's database interaction.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'NovoUsuario' or 'EnvioSenha' endpoints of the Auto Atendimento application. Include the 'DATANASC' parameter with a crafted value that contains SQL injection payloads. The 'CPF' parameter can also be used to further exploit the vulnerability, as it is accepted by the same endpoints and can be manipulated in a similar way.