Multiple SQL Injection vulnerabilities in eBrigade [CVE-2019-16743, CVE-2019-16744, CVE-2019-16745]

CVE numbers – CVE-2019-16743, CVE-2019-16744, CVE-2019-16745

Due to insufficient sanitization of user input an authenticated attacker can execute arbitrary SQL code in several SELECT statements. Since two of the three vulnerabilities are completely unsanitized and responsible to serve ICAL files, an attacker can let a user download manipulated calendar files. Besides that an attacker can also dump the whole database.

The third vulnerability results out of wrong usage of sanitization functions. This enables an attacker to manipulate the SQL query with specially crafted requests resulting into a blind SQL injection, as described in one of the following vulnerabilities.

a) & b) Multiple UNION SQL Injections (CVE-2019-16743, CVE-2019-16744) The parameters of two links can be manipulated so any arbitrary query to any table or database can be added to the output of the resulting calendar files using the UNION functionality of SQL.

c) Boolean-based Blind SQL Injection (CVE-2019-16745) The parameters of a search result can be manipulated to guess the returned values of an arbitrary query.

eBrigade is a web application that allows the management of personnel, vehicles and equipment of rescue centers (fire brigades), associations of first responders and military organizations.

Resolution

The vendor has provided an updated version (v5.0 or higher, v5.0.1) which should be installed immediately: https://sourceforge.net/projects/ebrigade/files/