SQL Injection Flaw in Hyland OnBase Software
CVE-2020-25254

9.8CRITICAL

Key Information:

Vendor

Hyland

Status
Onbase
Vendor
CVE Published:
11 September 2020

What is CVE-2020-25254?

A SQL injection vulnerability has been identified in multiple versions of Hyland OnBase, potentially allowing an attacker to execute arbitrary SQL commands. The issue can be exploited through functions such as TestConnection_LocalOrLinkedServer, CreateFilterFriendlyView, or AddWorkViewLinkedServer. This vulnerability affects versions 16.0.2.83 and earlier, 17.0.2.109 and earlier, 18.0.0.37 and earlier, 19.8.16.1000 and earlier, and 20.3.10.1000 and earlier, making it essential for users to review their systems and apply necessary patches to mitigate risks.

References

https://seclists.org/fulldisclosure/2020/Sep/7
x_refsource_MISC
http://seclists.org/fulldisclosure/2020/Oct/9
mailing-listx_refsource_FULLDISC
https://seclists.org/fulldisclosure/2020/Oct/9
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.