| Vendor |
|
| Product | Openbravo Business Suite |
| Affected Version(s) | 3.0 and probably prior |
| Tested Version(s) | 3.0 |
| Vulnerability Discovery | May 26, 2017 |
| Vendor Notification | May 26, 2017 |
| Advisory Publication | May 29, 2017 [without technical details] |
| Vendor Acknowledgment | June 13, 2017 |
| Vendor Fix | N/A |
| Public Disclosure | N/A |
| Latest Modification | June 6, 2017 |
| CVE Identifier(s) | CVE-2017-9437 |
| Product Description | The Openbravo Business Suite is a global management solution built on top of a truly modular, mobile-enabled and cloud-ready technology platform that allows organizations to deliver business process improvements faster, be more focused on business differentiation and business process innovation, and do so with lower risks. |
| Credits | Mahmoud Reda, Security Researcher & Penetration Tester @wizlynx group |
| SQL Injection | |||
| Severity: Medium | CVSS Score: 6.3 | CWE-ID: CWE-89 | Status: Not Fixed |
| Vulnerability Description | |||
| The application Openbravo is affected by SQL injection vulnerability affecting version 3.0. This vulnerability could allow remote authenticated attackers to inject arbitrary SQL code. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Unchanged |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | Low | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | Low |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.