Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks via busqueda/busqueda.php txt_depe_codi, busqueda/busqueda.php txt_usua_codi, anexos_lista.php radi_temp, Administracion/listas/formArea_ajax.php codDepe, Administracion/listas/formDepeHijo_ajax.php codDepe, Administracion/listas/formDepePadre_ajax.php codInst, asociar_documentos/asociar_borrar_referencia.php radi_nume, asociar_documentos/asociar_documento_buscar_query.php radi_nume, asociar_documentos/asociar_documento_grabar.php txt_radi_nume, asociar_documentos/asociar_documento radi_nume, radicacion/buscar_usuario.php buscar_tipo, radicacion/formArea_ajax.php codDepe, radicacion/formDepeHijo_ajax.php codDepe, radicacion/formDepePadre_ajax.php codInst, radicacion/ver_datos_usuario.php destinatorio, reportes/reporte_TraspasoDocFisico.php verrad, tx/datos_imprimir_sobre.php txt_usua_codi, tx/datos_imprimir_sobre.php nume_radi_temp, tx/revertir_firma_digital_grabar.php txt_radi_nume, tx/tx_borrar_opcion_imp.php codigo_opc, tx/tx_realizar_tx.php txt_radicados, tx/tx_seguridad_documentos.php txt_radicados, or uploadFiles/cargar_doc_digitalizado_paginador.php txt_depe_codi.
An authenticated user can inject malicious SQL code fragments through unsecured input parameters (including txt_depe_codi, txt_usua_codi, radi_temp, codDepe, radi_nume, buscar_tipo, txt_radicados and others) in numerous PHP files of the Quipux application. The lack of proper validation and sanitization of these parameters causes input data to be directly included in SQL queries executed on the database server side. According to the CWE-74 and CWE-89 classification, this is an injection vulnerability resulting from the failure to neutralize data in SQL queries.
An attacker can gain unauthorized access to data stored in the database, modify or delete data, and depending on the database server configuration — potentially execute system commands, which could consequently lead to full system compromise. A high scope of breach (Scope: Changed) means that the impact may extend beyond the application component itself.
Security patches available from the vendor should be applied according to the references. An update to a vulnerability-free version published by the vendor at https://minka.gob.ec/quipux-comunitario/quipux-comunitario is recommended. Until the fix is implemented, consider restricting access to vulnerable endpoints at the firewall or web server level and implement strict monitoring of logs for anomalous SQL queries.
Quipux in versions from 4.0.1 to commit e1774ac (inclusive)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HQuipux
APPQuipux4.0.1