82Flex WEIPDCRM sql injection

Vulnerability

The 82Flex WEIPDCRM software contains an SQL injection vulnerability in an unknown part. The manipulation leads to SQL injection, as described in the CVE description [1]. The software is end-of-life, no longer supported, and the repository was archived as read-only on July 13, 2022. The specific affected version is not clearly identified; the vulnerability was addressed in commit 43bad79392332fa39e31b95268e76fbda9fec3a4 [1].

Exploitation

An attacker can initiate the attack remotely without any prior authentication or user interaction, as stated in the CVE description. The exact parameters and vectors are not disclosed in the available references, but the vulnerability is classified as critical, suggesting low complexity of exploitation [1].

Impact

Successful exploitation allows an attacker to perform SQL injection, which can lead to unauthorized access to the database, information disclosure, and potential data manipulation. The impact is considered critical, and since the product is unsupported, no official fix or support is available.

Mitigation

No official patch is provided by the maintainer, as the product is unsupported. The repository is archived and read-only, meaning no further updates will be issued. The best mitigation is to upgrade to a supported solution or discontinue use of the software. The commit 43bad79392332fa39e31b95268e76fbda9fec3a4 was a hotfix applied before archival, but its content only addresses XSS filtering, not the SQL injection directly; the specific SQL injection fix may be incomplete or absent [1]. Users are recommended to apply the patch from that commit if possible, but reliance on unsupported software is strongly discouraged.