Primary

Context

Econtrata SQL Injection Vulnerability in /valida Endpoint

Vulnerability

A critical SQL injection vulnerability has been identified in the Econtrata application, affecting versions prior to 20250516. The issue arises in an unknown function of the file '/valida', where the 'usuario' parameter can be manipulated to inject malicious SQL queries. This vulnerability is exploitable remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can execute arbitrary SQL commands and potentially extract data from the database by measuring response time delays.

Reproduction

To reproduce this vulnerability, send a POST request to the '/valida' endpoint with a crafted 'usuario' parameter that includes a SQL injection payload. The injection can be confirmed by observing a delay in the server's response, indicating that the SQL payload was executed successfully.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Econtrata SQL Injection Vulnerability in /valida Endpoint

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating