vendor:
BackOfficePlus, BackOfficeLite
by:
7.5
CVSS
HIGH
Input Validation and Information Disclosure
89, 200, 352
CWE
Product Name: BackOfficePlus, BackOfficeLite
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
Comersus BackOfficePlus and BackOfficeLite Input Validation and Information Disclosure Vulnerabilities
The applications are prone to SQL injection attacks, information disclosure, and multiple cross-site scripting attacks. An attacker can exploit these vulnerabilities to retrieve sensitive and privileged information, gain access to the application as an administrative user, and perform cross-site scripting attacks to retrieve cookie-based authentication credentials from victim users; other attacks are also possible.
Mitigation:
Implement proper input validation and sanitization to prevent SQL injection and cross-site scripting attacks. Regularly update the software to the latest version to address any known vulnerabilities.