Security Research & Advisories

SQL Injection in Openbravo Business Suite

Product Openbravo Business Suite
Affected Version(s) 3.0 and probably prior
Tested Version(s) 3.0
Vulnerability Discovery May 26, 2017
Vendor Notification May 26, 2017
Advisory Publication May 29, 2017 [without technical details]
Vendor Acknowledgment June 13, 2017
Vendor Fix N/A
Public Disclosure N/A
Latest Modification June 6, 2017
CVE Identifier(s) CVE-2017-9437
Product Description The Openbravo Business Suite is a global management solution built on top of a truly modular, mobile-enabled and cloud-ready technology platform that allows organizations to deliver business process improvements faster, be more focused on business differentiation and business process innovation, and do so with lower risks.
Credits Mahmoud Reda, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

SQL Injection
Severity: Medium CVSS Score: 6.3 CWE-ID: CWE-89 Status: Not Fixed
Vulnerability Description
The application Openbravo is affected by SQL injection vulnerability affecting version 3.0. This vulnerability could allow remote authenticated attackers to inject arbitrary SQL code.
CVSS Base Score
Attack Vector Network Scope Unchanged
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction Required Availability Impact Low


Full details about the vulnerability will be disclosed once the vendor has provided a patch.