bpm’online SQL-injection (CVE-2019–15301)
1 min readSep 18, 2019
Object
Bpm’online CRM-System SDK
Overview
Passing user controlled parameter to method Terrasoft.Core.DB.Column.Const() could lead to SQL-injection vulnerability.
Vulnerable code example
This code block found in our customer’s project:
Documentation
Information about dangerous Column.Const() not present in terrasoft’s documentation.
Patch
No patch available. Terrasoft transferred responsibility to developers and just changes the documentation.
Recommendation
Do not use Column.Const(). Use Column.Parameter() instead.