CentralSquare Community Development SQL Injection Vulnerability

A SQL injection vulnerability has been identified in CentralSquare Community Development version 19.5.7. The issue arises in the IVR (Interactive Voice Response) component, which can be accessed through a web interface. The vulnerability allows unauthenticated users to inject SQL via the permit_no field, potentially leading to unauthorized data extraction or manipulation in the backend database.

Impact

Exploitation of this vulnerability could allow attackers to perform time-based or error-based SQL injection, with the possibility of extracting or manipulating data in the backend database, depending on the database configuration and privileges.

Reproduction

The vulnerability can be reproduced by accessing the IVR web interface and navigating through the simulated call prompts. After progressing through the prompts, the permit_no parameter can be injected with malicious SQL payloads. The lack of proper input sanitization before the parameter is used in backend SQL queries creates the injection vulnerability.

Remediation

CentralSquare has stated that it will contact affected organizations with guidance on applying patches and updates. In the meantime, it is recommended to restrict public access to the IVR web interface, limit the interface to internal networks or VPN-only access, review stored form fields for unexpected HTML or JavaScript content, and monitor access logs for requests to the IVR administrative page or unusual IVR query behavior.