Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Universal Software Inc. FlexWater Corporate Water Management allows SQL Injection. This issue affects FlexWater Corporate Water Management: before 5.452.0.
The vulnerability results from improper neutralization of special characters passed to SQL queries — the application does not filter or parameterize user input data before using it in database commands. An attacker can remotely, without authentication and without user interaction, inject arbitrary SQL commands over the network. This allows reading, modifying, or deleting data stored in the water management system database.
An attacker can gain full access to the database (confidentiality, integrity, availability), which in the context of a water infrastructure management system may mean theft of operational data, modification of configuration, or complete system shutdown.
FlexWater Corporate Water Management should be updated to version 5.452.0 or later. Detailed information is available in the USOM security notice at https://www.usom.gov.tr/bildirim/tr-24-1011
FlexWater Corporate Water Management in versions prior to 5.452.0 (manufacturer: Universal Software Inc.)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HUni Yaz Flexwater Corporate Water Management
APPUni-Yaz< 5.452.0
Related vulnerabilities
Privilege Defined With Unsafe Actions, Missing Authentication for Critical Function vulnerability in Universal...
Authentication Bypass Using an Alternate Path or Channel vulnerability in Universal Software Inc. FlexCity/Kio...
Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allow...