An unauthenticated SQL injection vulnerability in Infor Kados R10 GreenBee permits remote attackers to compromise database integrity and confidentiality.

This is a classic SQL injection vulnerability occurring in the menu_lev1 parameter. The flaw is exploitable by unauthenticated remote attackers who can inject malicious SQL commands to manipulate backend database operations.

Successful exploitation allows unauthorized access to sensitive information stored within the database, potentially leading to full data exfiltration or unauthorized administrative modifications. With a CVSS score of 8.2 (High), this vulnerability represents a significant risk to organizational data integrity and compliance requirements.

Immediate Action: Consult the official vendor security advisory to identify and apply the necessary patches or security updates to the Kados R10 GreenBee environment.

Proactive Monitoring: Implement database query logging and monitor for unusual query patterns or syntax errors that indicate injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with strict input validation rules to block malicious SQL payloads targeting the menu_lev1 parameter.

Public Exploit Available: false

Given the ability for unauthenticated attackers to interact directly with the database, immediate action is required. Organizations should prioritize patching or applying virtual mitigations to prevent unauthorized access to the underlying data store.