Multiple requests made to the web interface are vulnerable to SQL injection. This includes the user query, which allows the entire user table to be extracted from the system. This does require authentication, but a default password on an undocumented admin account permits this. SQL Injection can be used against the web interface for the Escalation of Privileges by an Authenticated attacker using the web interface.
Connection Suite 3.0.0 and later no longer uses Adobe® Flash, and we have updated the methods and libraries so that such SQL injections are impossible.
Dualog Connection Suite 3.0 was released on December 8, 2020. See Connection Suite 3.0 release notes here.
This vulnerability was found by PenTestPartners (PTP) during a random security testing.
Article is closed for comments.