SQL Injection vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the where Clause in Award Document Rendering.
An attacker can inject malicious SQL code through the WHERE clause used during award document rendering. Improper validation or lack of adequate input data sanitization allows manipulation of database queries. Through a properly crafted query, it is possible to execute arbitrary code on the server.
An attacker can gain full access to the database (read, modify, delete data) and execute arbitrary code on the server, which may lead to complete system takeover.
Apply patches available from the vendor according to the references. It is also recommended to implement validation and sanitization of input data and consider using parameterized queries (prepared statements) as a temporary security measure.
DerbyNet v9.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDerbynet
APPDerbynet≤ 9.0
Related vulnerabilities
SQL Injection z możliwością RCE w DerbyNet v9.0 i wcześniejszych
Path Traversal z RCE w DerbyNet v.9.0 — komponent kiosk.php
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary co...
SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via ...
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via t...