CVE-2021-47801

Vianeos OctoPUS 5 contains a time-based blind SQL injection vulnerability in the 'login_user' parameter during authentication requests. The application fails to properly sanitize user input before including it in SQL queries, allowing attackers to inject SQL commands that trigger database sleep functions to infer information [1][3].

Exploitation requires no authentication; an attacker can craft malicious POST requests to the authentication endpoint with specially constructed SQL payloads. By measuring response delays, the attacker can extract data character by character, as demonstrated in publicly available exploit code [4].

An attacker can extract sensitive information from the database, including user credentials, subscriber data, device databases, and other backend information managed by OctoPUS [2]. This could lead to further compromise of the middleware platform and connected services, as OctoPUS acts as a central hub for managing video content and subscriber databases [2][3].

As of the publication date, no official patch is available. The vendor's website indicates the product is actively supported [1]. Mitigation includes implementing strict input validation, parameterized queries, and deploying a web application firewall to block SQL injection attempts. The exploit is publicly accessible via Exploit-DB [4].