Unpatched SQLi vulnerability in SmartVista e-commerce suite

Haythem Elmir

Companies using SmartVista, the popular e-commerce/payment management product suite developed by Swiss company BPC Banking Technologies, are urged to put limit access to its management interface.

That’s because Rapid7 researcher Aaron Herndon found a SQL injection vulnerability in it, and BPC has shown no indication that it’s going to fix it.

About the vulnerability

According to Rapid7’s findings, the issues affect the “Transactions” interface of SmartVista Front-End (SVFE), version 2.2.10, revision 287921.

“Users with access to the Transactions interface (located under SVFE > Customer Service > Transactions) are provided with three input fields: ‘Card Number’, ‘Account Number’, and ‘Transaction Date from’. The first two input fields allow for any text to be entered, and do not sanitize user-supplied input before passing it to a database query,” the company explained.

To read the original article:


Laisser un commentaire

Next Post

iOS Flaw Makes Apple ID Passwords Prone to Phishing Attacks

According to the findings of Felix Krause, a mobile app developer and founder of Fastlane, there is a flaw in iOS that is potentially dangerous for the security of users’ passwords. In his blog post, Krause explained that cybercriminals could use pop-up dialog boxes to carry out phishing attacks so that an unsuspecting user could be […]