Nemon Products SQL Injection Vulnerability Allowing Unauthenticated Access to Two-Factor Authentication

A SQL injection vulnerability has been identified in Nemon Trade Energy and Nemon Trade Energy CRM, both in version 2.95.55. The issue arises in the 'two_steps_auth_code' parameter, which is processed by the 'twoStepsAuthVerification' function within the '/user-login' endpoint. This vulnerability allows unauthenticated attackers to access the two-factor authentication (2FA) functionality and execute arbitrary SQL queries on the backend database. Exploitation of this vulnerability could lead to database enumeration, unauthorized creation of privileged users, modification or deletion of critical information, and denial-of-service conditions.

Impact

Exploitation of this vulnerability could result in arbitrary SQL execution on the backend database, potentially leading to unauthorized database access, creation of privileged users, manipulation or deletion of important data, and causing denial-of-service conditions.