A user with the “Supervisor” role could delete any tag that they did not intend to remove.
OpenCATS administrators were advised to upgrade the app to avoid being exploited. OpenCATS was released on July 11, 2018 and patched on July 18, 2018. OpenCATS is a popular open-source ERP/MRP system that is used by companies of all sizes. It is used by companies in a variety of industries including manufacturing, construction, food, oil & gas, and more. On July 18th, a new version of OpenCATS was released by the developers. It fixed a SQL injection vulnerability in the tag function that allowed for data tampering. The OpenCATS developers patched the vulnerability within 2 days after it was discovered.
SQL Injection and XSS Flaw
The flaw allowed unauthorized users to view, delete, or modify data stored in the application.
As the OpenCATS developers patched this vulnerability within two days of discovery and only affects a single function, it is safe to say that this was not a critical vulnerability.
SQL Injection Vulnerability
SQL injection vulnerabilities are well known. In this vulnerability, the developer of OpenCATS was vulnerable to inserting SQL code into the tag function without adding any filters. This SQL code could be inserted by a person with the “Supervisor” role in order to delete any tag that they did not intend to remove.
The vulnerability had been introduced by a bug in an older version of OpenCATS that had been fixed. It was only patched with the release of a newer version 2 days later on July 18th.
If you are using OpenCATS and were not running version 3 or higher, it is suggested that you upgrade to avoid being exploited.
Timeline
Published on: 10/19/2022 18:15:00 UTC
Last modified on: 10/20/2022 05:47:00 UTC