Advisory for CVE-2021-41765, a critical SQL injection vulnerability leading to remote code execution, by the Horizon3.ai red team.
During our assessment of the ResourceSpace code base, we found three new vulnerabilities that could be exploited by an unauthenticated attacker. The most critical is CVE-2021-41765, a pre-auth SQL injection that an attacker can abuse to gain remote code execution (RCE) privileges on the ResourceSpace server. The other two vulnerabilities identified were CVE-2021-41950, a path traversal vulnerability that can be used to delete arbitrary files on the file system, and CVE-2021-41951, a reflected cross-site scripting (XSS) vulnerability. All three vulnerabilities were promptly patched by the vendor, Montala Limited.
This post was created with our nice and easy submission form. Create your post!
GIPHY App Key not set. Please check settings