The a+HRD from aEnrich Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
An attacker can inject arbitrary SQL commands directly into queries executed by the application by sending appropriately crafted requests to the remote system. The application does not perform sufficient validation or sanitization of input data before passing it to the database engine. As a result, malicious SQL commands are executed with the privileges of the database account used by the application.
An attacker can read, modify, and delete the contents of the HR and payroll system database, which may lead to the disclosure of sensitive employee data, data integrity violations, and complete destruction of database resources.
Apply patches available from the manufacturer in accordance with references published by TWCERT: https://www.twcert.org.tw/en/cp-139-8373-91edc-2.html. Additionally, it is recommended to restrict network access to the application only to trusted IP addresses and implement firewall rules blocking unauthorized access from external networks.
The A+HRD application from aEnrich Technology — specific versions indicated in the manufacturer's references (TWCERT)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAenrich A\+hrd
APPAenrich≤ 7.5
Related vulnerabilities
Authentication Abuse w aEnrich a+HRD — przejęcie tokenu administratora
Aenrich A+HRD – obejście uwierzytelnienia przez fałszywe tokeny administratora
aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ interpreter....
aEnrich Technology a+HRD has a vulnerability of Deserialization of Untrusted Data within its MSMQ asynchronize...
aEnrich a+HRD has insufficient user input validation for specific API parameter. An unauthenticated remote att...