Nemon Trade Energy
Monthly
Unauthenticated SQL injection in Nemon Trade Energy and Nemon Trade Energy CRM allows remote attackers to execute arbitrary SQL queries through the 'two_steps_auth_code' parameter on the '/user-login' endpoint. The 2FA verification flow is reachable without prior authentication, enabling full database compromise; no public exploit identified at time of analysis, but a vendor patch is available per the INCIBE advisory.
Unauthenticated SQL injection in Nemon Trade Energy and Nemon Trade Energy CRM allows remote attackers to execute arbitrary SQL queries through the 'two_steps_auth_code' parameter on the '/user-login' endpoint. The 2FA verification flow is reachable without prior authentication, enabling full database compromise; no public exploit identified at time of analysis, but a vendor patch is available per the INCIBE advisory.