CVE-2024-22856

Vulnerability

Description

An authenticated blind SQL injection vulnerability exists in the Save Favorite Search function of Axe Credit Portal (ACP) version 3.0 and higher. The flaw resides in the favoriteSearchCriteriaName parameter of the /Persistance/SaveFavoriteSearchCriteriaContent API endpoint. The application fails to properly sanitize this input, allowing an attacker to inject arbitrary SQL commands that are executed against the backend database. [1]

Exploitation

To exploit this vulnerability, an attacker must first authenticate as a user with access to the Customer Search module (e.g., SaleRm role). By navigating to the ACL Menu -> Customer -> Search Customer, filling in a Customer CIF field, and clicking the yellow star icon to access the Save Favorite Search function, the attacker can then input crafted payloads into the Favorite Criteria Name field. The proof of concept demonstrates blind SQL injection using time-based techniques: for example, the payload 1' ; IF(1=1) WAITFOR DELAY '00:00:05'-- causes a five-second delay, confirming SQL execution. Automated extraction of database names can be performed by iterating characters with ASCII comparisons. [1]

Impact

A successful exploit allows an authenticated attacker to execute arbitrary, unintended SQL queries. This can lead to the disclosure of sensitive information from database tables, including potentially customer records, financial data, or other confidential information managed by the ACP system. The vulnerability does not require an unauthenticated user, but any authenticated user with access to the affected function can leverage it to read database contents. [1]

Mitigation

The vendor, Axefinance, has addressed this vulnerability as of the publication of the reference analysis (reported in May 2023 and fixed by the R&D department). Users of Axe Credit Portal versions 3.0 and higher should apply the vendor-provided update or patch to remediate the issue. No workarounds are documented. [1]