Base Digitale Centrax Open PSIM SQL Injection Vulnerability

A SQL injection vulnerability has been identified in Base Digitale Centrax Open PSIM version 6.1 and prior. This vulnerability allows an unauthenticated user to execute arbitrary SQL commands by manipulating the sender parameter in the cmd component of the application.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution on the back-end database, potentially leading to unauthorized data manipulation, including creation, reading, updating, or deletion of database records.

Reproduction

To reproduce this vulnerability, send a POST request to the /cmd endpoint with a JSON payload that includes a crafted sender parameter. The payload should be designed to exploit the SQL injection vulnerability, such as by using a time-based injection technique that leverages SQL's sleep function to demonstrate the injection's effectiveness. Alternatively, the tool sqlmap can be used to automate the exploitation of this vulnerability by targeting the sender parameter with a payload that bypasses authentication.

Remediation

Users are advised to upgrade Centrax Open PSIM to version 6.1 or later.