CVE-2020-12606: SQL injection in SGLAC
Vendor: DBSOFT
Vendor URL: http://www.dbsoft.es/es-es/productos/sglac.aspx
Versions affected: SGLAC <20.05.001
Discovered by: Pablo Martinez (@xassiz)
Public fix: Yes
Proof of Concept: No
Summary
SGLAC web frontend (<20.05.001) is prone to an unauthenticated SQL injection.
Details
The ProcedimientoGenerico method in the SVCManejador.svc webservice of the SGLAC web frontend allows an attacker to run arbitrary SQL commands on the SQL Server.
Impact
Command execution can be easily achieved by using the xp_cmdshell stored procedure.
Recommendation
Update to a fixed version (=>20.05.001).
Timeline
- 28/04/2020 - Vendor contact
- 27/05/2020 - Release of fixed version