[CRITICAL] Mergen Software QMS Exploit SQL injection to RFI
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection.< This issue affects Quality Management System: through 25/03/2024.
The vulnerability exists in the query API due to insufficient validation of user-supplied inputs in field parameter. We can trigger the vulnerability by accessing publicly available /api/get-organizations endpoint inserting arbitrary SQL queries inside field parameter. The user input supplied to the field parameter is inserted into a raw SQL expression which in turn executes the query leading to a SQL Injection vulnerability. The researcher identified the vulnerability by examining the following line of code:
Looking at the code, it appears field is taking string data using LIKE operator with ? SQL wild card character and function SnakeString is formatting that data, details about the SnakeString function can be found inside util/string.go file.