Pamirs
Monthly
SQL injection in Oinone Pamirs versions up to 7.2.0 allows remote unauthenticated attackers to read, modify, or delete database records via the queryListByWrapper interface. The RSQLToSQLNodeConnector.makeVariable function fails to properly sanitize input, enabling direct database manipulation. A publicly available proof-of-concept exploit exists (GitHub issue #12), and the vendor has not responded to disclosure attempts. EPSS data unavailable, not listed in CISA KEV. CVSS 5.5 (Medium) reflects confidentiality, integrity, and availability impacts all rated Low with network-accessible, low-complexity exploitation requiring no authentication.
SQL injection in Oinone Pamirs versions up to 7.2.0 allows remote unauthenticated attackers to read, modify, or delete database records via the queryListByWrapper interface. The RSQLToSQLNodeConnector.makeVariable function fails to properly sanitize input, enabling direct database manipulation. A publicly available proof-of-concept exploit exists (GitHub issue #12), and the vendor has not responded to disclosure attempts. EPSS data unavailable, not listed in CISA KEV. CVSS 5.5 (Medium) reflects confidentiality, integrity, and availability impacts all rated Low with network-accessible, low-complexity exploitation requiring no authentication.