The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents.
The vulnerability results from lack of proper validation and sanitization of input data passed to SQL queries (CWE-89). An attacker can inject malicious SQL commands directly over the network without needing a system account. This allows manipulation of the logic of queries directed to the application database.
An attacker can read, modify, or delete the contents of the eHDR CTMS system database, which may lead to disclosure of sensitive patient data or disruption of the clinical trial management system.
Apply patches available from the manufacturer in accordance with references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8169-0632f-2.html)
Sun.Net eHDR CTMS — versions indicated in the manufacturer's references (TWCERT)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSun.net Ehrd Ctms
APPSun.Net< 10.0
Related vulnerabilities
SQL Injection w SUNNET Corporate Training Management System
RCE poprzez external control of file path w SUNNET CTMS
Brak autoryzacji w SUNNET CTMS umożliwia nieautoryzowane wdrożenie aplikacji
Brak uwierzytelnienia w SUNNET CTMS — dostęp do funkcji wdrożeniowych
CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject ...