Affected Products: UniverSIS-API versions prior to commit 39e47d7f
Class: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
Discovered by: Stavros Mekesis
An SQL Injection vulnerability exists in UniverSIS-API versions prior to commit 39e47d7f via the
$select parameter in multiple API endpoints due to improper validation of user-supplied input to the
$select parameter. A remote authenticated attacker could send specially crafted SQL statements to a vulnerable UniverSIS API endpoint (e.g.
/api/students/me/messages/) using the
$select parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
Proof of Concept
SQL injection can be detected manually by submitting the single quote character (’) and looking for errors or other anomalies (see Fig. 1).
A remote authenticated attacker can leverage the SQL injection vulnerability to retrieve data from other tables within the database. For example, the following request will cause the application to return all IDs, given names, family names, father’s names, mother’s names, Social Security numbers, home addresses, home phones, and mobile phones from the
PersonData table (see Fig. 2).
Also, the attacker can leverage the SQL injection vulnerability to modify information in the back-end database. For example, the following request will cause the application to change the thesis grade for Μιχαλόπουλος Αντώνιος (firstname.lastname@example.org) to “10” (see Fig. 3–5).
UniverSIS has released a patch for this vulnerability on GitLab. Please apply the patch as soon as possible.
Responsible Disclosure Timeline
Vendor Contact: April 17, 2022
Vendor Fix Released: April 18, 2022
Public Advisory: April 24, 2022
CVE Allocation: April 25, 2022