vendor:
MaxOn ERP Software
by:
Ihsan Sencan
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: MaxOn ERP Software
Affected Version From: 8.x
Affected Version To: 9.x
Patch Exists: NO
Related CWE: N/A
CPE: a:talagasoft:maxon_erp_software
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: WiN7_x64/KaLiLinuX_x64
2018
MaxOn ERP Software 8.x-9.x – ‘nomor’ SQL Injection
All users can run sql injection codes. The vulnerability exists in the 'nomor' parameter of the log_activity() function in the User.php file. An attacker can send a malicious HTTP POST request with a payload in the 'nomor' parameter to execute arbitrary SQL commands on the underlying database.
Mitigation:
Input validation should be used to prevent SQL injection attacks. All input data should be validated and filtered before passing it to the SQL query.
