Vulnerability Description
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bqe | Billquick Web Suite | >= 19, < 22.0.9.1 |
Related Weaknesses (CWE)
References
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerabiExploitThird Party Advisory
- https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerabiExploitThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-US Government Resource
FAQ
What is CVE-2021-42258?
CVE-2021-42258 is a vulnerability with a CVSS score of 9.8 (CRITICAL). BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL inje...
How severe is CVE-2021-42258?
CVE-2021-42258 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-42258?
Check the references section above for vendor advisories and patch information. Affected products include: Bqe Billquick Web Suite.