|
Description
|
|
Multiple vulnerabilities have been discovered in webERP, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks, cross-site request forgery attacks, and compromise a vulnerable system.
1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change an administrator's password or add a new administrative user by tricking a logged in administrative user into visiting a malicious web site.
2) Input passed via the "SelectedCustomer" and "SelectedStockItem" parameters to SelectSalesOrder.php, the "SelectedStockItem" parameter to SelectWorkOrder.php, the "WO" parameter to WorkOrderCosting.php, the "WO" and "StockID" parameters to WorkOrderReceive.php and WorkOrderIssue.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
3) Input passed via the "SelectedCustomer" and "SelectedStockItem" parameters to SelectSalesOrder.php, the "SelectedStockItem" parameter to SelectWorkOrder.php, the "WO" parameter to WorkOrderCosting.php, the "WO" and "StockID" parameters to WorkOrderReceive.php and WorkOrderIssue.php, the "OrderNumber" parameter to SelectCompletedOrder.php, the "OrderNo" parameter to PO_OrderDetails.php, the "SelectedReport" parameter to SalesAnalRepts.php, the "ReportID" parameter to SalesAnalReptCols.php and SalesAnalysis_UserDefined.php, the "TransType" parameter to CustomerTransInquiry.php, the "BatchNo" parameter to PDFBankingSummary.php, the "TransNo" and "TransType" parameters to CustWhereAlloc.php, the "FromTransNo" parameter to PrintCustTrans.php, and the "tag", "FromPeriod", and "ToPeriod" parameters to GLTagProfit_Loss.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
4) Input passed via the "WO" parameter to WorkOrderEntry.php, the "WO" and "StockID" parameters to WorkOrderStatus.php, and the "Areas[]" and "SalesPeople[]" parameters in PDFCustomerList.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
NOTE: Parameters in vulnerability #4 can further be exploited to conduct cross-site scripting attacks via SQL error messages.
5) Input passed to the "LineNo" parameter in includes/InputSerialItemsFile.php is not properly verified before being used to upload files. This can be exploited to upload arbitrary files and e.g. execute arbitrary PHP code.
The vulnerabilities are confirmed in version 3.11.4. Other versions may also be affected.
|
