An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform SQL Injection due to improper neutralization of special elements used in an SQL command.
The vulnerability results from improper neutralization of special characters in SQL commands (CWE-89) and system commands (CWE-78). An attacker remotely, without the need for authentication, can inject malicious input into SQL queries handled by the application. The network attack vector with low complexity (AV:N/AC:L/PR:N/UI:N) means that the exploit can be carried out by any unauthenticated network user.
An attacker can gain full access to the application database (read, modify, delete data), and in combination with a command injection vulnerability, potentially take control of the server operating system. The consequences include loss of confidentiality, integrity, and data availability.
Patches available from the manufacturer should be applied according to the references. As temporary measures, it is recommended to restrict network access to the Caterease application only to trusted IP addresses and implement a Web Application Firewall (WAF) that filters malicious SQL queries.
Horizon Business Services Inc. Caterease versions from 16.0.1.1663 to 24.0.1.2405 and potentially later versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHorizoncloud Caterease
APPHorizoncloud16.0.1.1663 – 24.0.1.2405
Related vulnerabilities
Caterease: obniżenie poziomu szyfrowania przez wybór słabszego algorytmu
Traffic Injection w Horizoncloud Caterease – brak weryfikacji źródła komunikacji
Command Injection w Horizoncloud Caterease — zdalne przejęcie systemu OS
SQL Injection umożliwiający command injection w Horizoncloud Caterease
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versio...