# Talos Vulnerability Report ### TALOS-2020-1109 ## Aveva eDNA Enterprise Data Historian Alias.asmx SQL injection Vulnerability ##### September 23, 2020 ##### CVE Number CVE-2020-13507, CVE-2020-13508 ### Summary Multiple SQL injection vulnerabilities exist in the Alias.asmx Web Service functionality of eDNA Enterprise Data Historian 3.0.1.2/7.5.4989.33053. Specially crafted SOAP web requests can cause SQL injections resulting in data compromise. An attacker can send unauthenticated HTTP requests to trigger these vulnerabilities. ### Tested Versions Aveva eDNA Enterprise Data Historian 3.0.1.2/7.5.4989.33053 ### Product URLs ### CVSSv3 Score 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) ### Details .eDNA Enterprise Data Historian is highly scalable software platform that efficiently archives and quickly retrieves time-series data in business and operational environments. Multiple SQL injection vulnerabilities exist in the web service as an unauthenticated user. A successful attack could allow an unauthenticated attacker to access information such as usernames and password hashes that are stored in the database. #### CVE-2020-13507 - Parameter OrigID Parameter OrigID in Alias.asmx is vulnerable to unauthenticated SQL injection attacks: POST /webservice/Alias.asmx HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: application/soap+xml;charset=UTF-8;action="http://instepsoftware.com/webservices/GetAliasHistory" User-Agent: agent Host: [IP] Content-Length: 317 (SQL INJECTION) #### CVE-2020-13508 - Parameter AliasName Parameter AliasName in Alias.asmx is vulnerable to unauthenticated SQL injection attacks: POST /webservice/Alias.asmx HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: application/soap+xml;charset=UTF-8;action="http://instepsoftware.com/webservices/GetAlias" User-Agent: agent Host: [IP] Content-Length: 379 1 (SQL INJECTION) ### Timeline 2020-07-10 - Vendor disclosure 2020-08-10 - Vendor provided patch for Talos to test 2020-08-21 - Talos confirmed fix/patch 2020-09-23 - Public disclosure release ##### Credit Discovered by Yuri Kramarz of Cisco Talos. * * * Vulnerability Reports Next Report TALOS-2020-1108 Previous Report TALOS-2020-1084

Reporter	Title	Published	Views	Family All 4
CVE	CVE-2020-13508	24 Sep 202014:43	–	cve
NVD	CVE-2020-13508	24 Sep 202015:15	–	nvd
Prion	Design/Logic Flaw	24 Sep 202015:15	–	prion
Talos	Aveva eDNA Enterprise Data Historian Alias.asmx SQL injection Vulnerability	23 Sep 202000:00	–	talos