cbcvebase.
CVE-2019-5722
published 2019-03-21

CVE-2019-5722: An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Due to a lack of user input validation in parameter handling, it has various SQL injections…

PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.90%
89.0th percentile
An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Due to a lack of user input validation in parameter handling, it has various SQL injections, including on the login form, and on the search form for a key ring number.

Affected

2 ranges
VendorProductVersion rangeFixed in
portierportier
portierportier

Detection & IOCsextracted from sources · hover to see the quote

command') UNION SELECT 1,user_kz,passwort,1,1,1,1,1,1,1 FROM BENUTZER WHERE (systemuser = 1) AND ('a%' = 'a
commandSELECT BUND.BUND_ID, BUND.BUNDNUMMER, BUND.BESCHREIBUNG, BUND.ABTEILUNG, BUND.BEREICH, BUND.KOSTENSTELLE, DEPOT.BEZEICHNUNG as DEP_BEZEICHNUNG, BUND.BEMERKUNG_1, BUND.BEMERKUNG_2, BUND.BEMERKUNG_3 FROM BUND BUND LEFT OUTER JOIN DEPOT DEPOT ON DEPOT.DEPOT_ID = BUND.DEPOT_ID WHERE ( 1 = 1 ) AND (upper(BUND.BUNDNUMMER) LIKE '') UNION SELECT 1,user_kz,passwort,1,1,1,1,1,1,1 FROM BENUTZER WHERE (systemuser = 1) AND ('a%' = 'a%')
  • Monitor database traffic for UNION SELECT payloads targeting the BENUTZER table, particularly queries extracting user_kz and passwort columns — indicative of credential harvesting via SQLi in the key ring number search field.
  • The application communicates with its database (Firebird or MS SQL) in plain text; network sniffing of database traffic can reveal injected queries. Monitor for anomalous UNION SELECT statements in database wire traffic on the relevant DB port.
  • The login form username field is also injectable; monitor for SQL metacharacters (e.g., single quotes, UNION keywords) in authentication requests to the portier vision client-server database connection.
  • Stacked queries do not work against both supported backends; UNION-based injection is the primary viable technique. Detection should focus on UNION SELECT patterns in queries against BUND.BUNDNUMMER and login parameters.
  • ·The SQL injection payload structure differs slightly between Firebird and MS SQL backends: Firebird does not support UNION SELECT when the full query is terminated by an ORDER BY clause, reducing the number of exploitable fields on that backend.
  • ·Authentication bypass via the login form SQLi is NOT possible because authentication logic is implemented client-side, not server-side; however, credential theft (encrypted passwords) of supervisor accounts remains a high-impact attack path.
  • ·No vendor patch was available at time of disclosure; the solution status was listed as Open and SySS GmbH was not aware of a fix from the manufacturer.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.