CVE-2023-27779

Vulnerability

AM Presencia version 3.7.3 contains a SQL injection vulnerability in the login form. The user parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL commands. This issue affects the login functionality of the application.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the login endpoint with malicious SQL code in the user parameter. No authentication is required as the login form is publicly accessible. The attacker only needs network access to the application. The injection occurs during the authentication process, potentially allowing the attacker to manipulate the SQL query to bypass authentication or extract data.

Impact

Successful exploitation could lead to unauthorized access to the application, disclosure of sensitive data stored in the database, or further compromise of the system. The attacker may gain the ability to read, modify, or delete database contents, depending on the database permissions.

Mitigation

As of the publication date, no official patch or fixed version has been released by the vendor. The available references do not provide any mitigation details. Users should apply input validation and parameterized queries to the login form as a workaround. If the application is no longer supported, consider upgrading to a different solution.