vulnerability
BQE WebSuite: CVE-2021-42258: BillQuick WebSuite SQL RCE
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Oct 22, 2021 | Mar 8, 2022 | May 3, 2022 |
Severity
9
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Oct 22, 2021
Added
Mar 8, 2022
Modified
May 3, 2022
Description
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
This check requires the Metasploit Remote Check Service to be enabled on Scan Engines. Please see the Metasploit Remote Check Service documentation for instructions on how to enable this functionality.
Solution
bqe-websuite-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.