Advertisement






NLB mKlik Makedonija 3.3.12 SQL Injection

CVE Category Price Severity
CWE-89 $500 Critical
Author Risk Exploitation Type Date
Unknown High Remote 2023-10-16
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023100040

Below is a copy:

NLB mKlik Makedonija 3.3.12 SQL Injection
NLB mKlik Makedonija 3.3.12 SQL Injection


Vendor: NLB Banka AD Skopje
Product web page: https://www.nlb.mk
Google Play: https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunskamk.production
Affected version: 3.3.12

Summary: NLB mKlik       ,
     ,    
         
         
        . NLB mKlik 
     Android  5.0  .

Desc: The mobile application or the affected API suffers from an SQL
Injection vulnerability. Input passed to the parameters that are
associated to international transfer is not properly sanitised before
being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and disclose
sensitive information.

Tested on: Android 13


Vulnerability discovered by Neurogenesia
                            @zeroscience


Advisory ID: ZSL-2023-5797
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5797.php


23.12.2022

--


Incident ID: ZSL-122022-NLBTHR
------------------------------
DB data disclosure PoC (international transfer details/description trigger):

++
[select alfa1+'  ' opis from pts (nolock) where unikum =dbo.dodajnuli(:unikum ,14) and kod = 15111]

-

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.