CVE-2019-25700

Infor · Kados R10 GreenBee

Kados R10 GreenBee is susceptible to SQL injection via the sort_direction parameter, allowing for unauthorized database query manipulation.

Executive summary

An SQL injection vulnerability in Infor Kados R10 GreenBee allows attackers to execute malicious database queries, threatening data integrity.

Vulnerability

The application fails to sanitize the sort_direction parameter, permitting attackers to inject arbitrary SQL statements. This vulnerability allows for unauthorized database interaction.

Business impact

Exploiting this vulnerability could lead to unauthorized data access or modification, potentially causing significant business disruption. The CVSS score of 8.2 emphasizes the need for rapid remediation to protect organizational assets.

Remediation

Immediate Action: Apply the vendor-supplied security patch to the affected system.

Proactive Monitoring: Monitor for anomalous query patterns in database logs and review system access logs for suspicious activity.

Compensating Controls: Deploy WAF rules to block malicious SQL injection payloads targeting the sort_direction parameter.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Security teams should prioritize patching this vulnerability to prevent potential unauthorized database access. Consistent with high-severity vulnerabilities, immediate action is recommended.