An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform command line execution through SQL Injection due to improper neutralization of special elements used in an OS command.
The Caterease application improperly neutralizes special characters passed in SQL queries, which are subsequently interpreted as operating system commands (CWE-78 — improper neutralization of special elements used in an OS command). An attacker can remotely, without authentication, prepare malicious input containing an SQL Injection payload, which consequently leads to execution of arbitrary commands at the operating system level. The attack is possible over the network, does not require user interaction or any privileges.
An attacker can gain full control over the system — read, modify or delete data, as well as execute arbitrary system commands, which may lead to complete server takeover (RCE).
Patches available from the vendor should be applied according to the references. It is recommended to monitor official vendor channels (caterease.com, horizon.com) for update information. Until the patch is applied, it is recommended to restrict network access to the application only to trusted hosts via firewall.
Horizoncloud Caterease versions from 16.0.1.1663 to 24.0.1.2405 and potentially newer versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHorizoncloud Caterease
APPHorizoncloud16.0.1.1663 – 24.0.1.2405
Related vulnerabilities
Traffic Injection w Horizoncloud Caterease – brak weryfikacji źródła komunikacji
Command Injection w Horizoncloud Caterease — zdalne przejęcie systemu OS
SQL Injection w Horizoncloud Caterease — zdalne wykonanie zapytań
Caterease: obniżenie poziomu szyfrowania przez wybór słabszego algorytmu
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versio...