CVE-2021-36722 — HIGH (7.1)

Vulnerability Description

Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Emuse - Eservices \/ Envoice Project	Emuse - Eservices \/ Envoice	-

Related Weaknesses (CWE)

CWE-89

References

https://www.gov.il/en/departments/faq/cve_advisoriesThird Party Advisory
https://www.gov.il/en/departments/faq/cve_advisoriesThird Party Advisory

FAQ

What is CVE-2021-36722?

CVE-2021-36722 is a vulnerability with a CVSS score of 7.1 (HIGH). Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused b...

How severe is CVE-2021-36722?

CVE-2021-36722 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-36722?

Check the references section above for vendor advisories and patch information. Affected products include: Emuse - Eservices \/ Envoice Project Emuse - Eservices \/ Envoice.