Employee Self Service System
Monthly
SQL injection in Tiobon Employee Self-Service System versions up to 7.2 allows authenticated remote attackers to manipulate the Keyword parameter in /Blog/BlogSearch.aspx, executing arbitrary SQL against the underlying database with low impact across confidentiality, integrity, and availability. Publicly available exploit code exists and has been disclosed via VulDB, while the vendor failed to respond to responsible disclosure, leaving no vendor-released patch at time of analysis. This is not confirmed as actively exploited (not in CISA KEV), but the low-complexity, network-reachable nature combined with a public proof-of-concept represents a credible opportunistic risk for organizations running this HR application.
SQL injection in Tiobon Employee Self-Service System versions up to 7.2 allows authenticated remote attackers to manipulate the Keyword parameter in /Blog/BlogSearch.aspx, executing arbitrary SQL against the underlying database with low impact across confidentiality, integrity, and availability. Publicly available exploit code exists and has been disclosed via VulDB, while the vendor failed to respond to responsible disclosure, leaving no vendor-released patch at time of analysis. This is not confirmed as actively exploited (not in CISA KEV), but the low-complexity, network-reachable nature combined with a public proof-of-concept represents a credible opportunistic risk for organizations running this HR application.