Description
A SQL Injection vulnerability has been found in Epsilon RH by Grupo Castilla. This vulnerability allows an attacker to retrieve, create, update and delete database via sending a POST request using the parameter ‘sEstadoUsr’ in ‘/epsilonnetws/WSAvisos.asmx’.
Problem types
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
3.03.36.010
Credits
Pedro Gabaldón Juliá
Javier Medina Munuera
Antonio José Gálvez Sánchez
Alejandro Baño Andrés
Álvaro Piñero Laorden
References
www.incibe.es/...cert/notices/aviso/sql-injection-epsilon-rh
