CVE-2021-42258

NVD Published Date: October 22, 2021 at 10:15 PM
NVD Last Modified: October 28, 2021 at 08:34 PM
Download Patch
Vulnerability ID
CVE-2021-42258
Severity
CRITICAL
Severity Score
9.8
Summary
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
Mitigation and Patches
-
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE ID
CWE-89

Recent Publish

CVE-2021-42237

CVE-2021-44026

CVE-2021-44077

CVE-2021-20038

CVE-2021-44529

CVE-2021-44515

See SecOps Solution
in action

Schedule Demo