Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies Agentis allows SQL Injection. This issue affects Agentis: before 4.32.
The vulnerability results from improper neutralization of special characters in input data passed to SQL queries (Improper Neutralization of Special Elements used in an SQL Command). An unauthenticated attacker can remotely inject malicious SQL commands into queries executed by the application over the network. The attack vector indicates no requirements for privileges and user interaction, and the vulnerability has scope beyond the original component (Scope: Changed).
An attacker can gain full access to the database — read, modify or delete data, and depending on server configuration, potentially take control of the system. The vulnerability enables compromise of confidentiality, integrity and availability of data to the highest degree.
The Agentis application must be immediately updated to version 4.32 or later. Details are available in the manufacturer's references and USOM announcements at https://www.usom.gov.tr/bildirim/tr-25-0168.
Rolantis Information Technologies Agentis application in all versions before 4.32.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H