Companies using SmartVista, the popular e-commerce/payment management product suite developed by Swiss company BPC Banking Technologies, are urged to put limit access to its management interface.
That’s because Rapid7 researcher Aaron Herndon found a SQL injection vulnerability in it, and BPC has shown no indication that it’s going to fix it.
About the vulnerability
According to Rapid7’s findings, the issues affect the “Transactions” interface of SmartVista Front-End (SVFE), version 2.2.10, revision 287921.
“Users with access to the Transactions interface (located under SVFE > Customer Service > Transactions) are provided with three input fields: ‘Card Number’, ‘Account Number’, and ‘Transaction Date from’. The first two input fields allow for any text to be entered, and do not sanitize user-supplied input before passing it to a database query,” the company explained.
To read the original article: