CVE-2019-5893
published 2019-01-10CVE-2019-5893: Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter.
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.71%
97.6th percentile
Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/utils/query/data.xml query parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nelson-it | open_source_erp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsqlend=1&query=%27%7c%7ccast((select+chr(95)%7c%7cchr(33)%7c%7cchr(64)%7c%7c(SELECT+VERSION())%7c%7cchr(95)%7c%7cchr(33)%7c%7cchr(64))+as+numeric)%7c%7c%27&schema=mne_application&table=userpref&cols=startweblet%2cregion%2cmslanguage%2cusername%2cloginname%2cpersonid%2clanguage%2cregionselect%2ctimezone%2ccountrycarcode%2cstylename%2cusername%2cstartwebletname&usernameInput.old=session_user&mneuserloginname=test↗
- →Monitor for POST requests to the path /db/utils/query/data.xml, which is the vulnerable SQL injection endpoint in Nelson OpenSource ERP v6.3.1. ↗
- →Inspect POST body for the 'query' parameter containing SQL injection payloads, particularly error-based injection using CAST(...AS NUMERIC) and VERSION() extraction patterns (e.g., presence of 'cast' and 'numeric' in URL-encoded query parameter). ↗
- →Look for the presence of the session cookie name 'MneHttpSessionId<port>' (e.g., MneHttpSessionId8024) in HTTP requests as an indicator of traffic targeting Nelson OpenSource ERP instances. ↗
- →Flag POST requests to /db/utils/query/data.xml that include the parameter 'usernameInput.old=session_user', which is characteristic of this exploit's attempt to enumerate the current database session user. ↗
- →The exploit targets the 'mne_application' schema and 'userpref' table; SQL errors or anomalous queries referencing these objects in database logs may indicate exploitation attempts. ↗
- ·The PoC uses a hardcoded private IP (172.16.118.142) and port (8024) for the target host; these are lab/test values and should not be used as network IOCs in production detection rules. The actual deployment port may vary. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-01-10
Published