bpm’online SQL-injection (CVE-2019–15301)

Object

Bpm’online CRM-System SDK

https://terrasoft.ru/

https://www.bpmonline.com/

Overview

Passing user controlled parameter to method Terrasoft.Core.DB.Column.Const() could lead to SQL-injection vulnerability.

Vulnerable code example

This code block found in our customer’s project:

Documentation

Information about dangerous Column.Const() not present in terrasoft’s documentation.

Patch

No patch available. Terrasoft transferred responsibility to developers and just changes the documentation.

Recommendation

Do not use Column.Const(). Use Column.Parameter() instead.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade