CVE-2021-36722
Last modified
CVE-2021-36722 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.. EPSS estimates a 1.35% chance of exploitation in the next 30 days.
Description
Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Emuse - Eservices \/ Envoice Project | Emuse - Eservices \/ Envoice | All versions |
References
- https://www.gov.il/en/departments/faq/cve_advisoriesThird Party Advisory
- https://www.gov.il/en/departments/faq/cve_advisoriesThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-36722?
How severe is CVE-2021-36722?
How do I fix CVE-2021-36722?
Are you affected by CVE-2021-36722?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST