Pro Cloud Server
Monthly
Denial of service in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated remote attackers to crash the service by submitting a specially crafted SQL query that the server fails to parse safely. The flaw, reported by CERT-PL, results in unexpected termination of the Pro Cloud Server process, and no public exploit identified at time of analysis. The vendor did not respond to disclosure, so the full vulnerable version range remains unconfirmed.
Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.
Broken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged users to execute arbitrary SQL queries against the backend database with the database user's privileges. The flaw stems from missing permission checks in the database communication layer, effectively granting any logged-in user the ability to read or modify any data the service account can access. No public exploit identified at time of analysis, but technical write-ups have been published by CERT-PL and independent researchers.
Denial of service in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated remote attackers to crash the service by submitting a specially crafted SQL query that the server fails to parse safely. The flaw, reported by CERT-PL, results in unexpected termination of the Pro Cloud Server process, and no public exploit identified at time of analysis. The vendor did not respond to disclosure, so the full vulnerable version range remains unconfirmed.
Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.
Broken access control in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated low-privileged users to execute arbitrary SQL queries against the backend database with the database user's privileges. The flaw stems from missing permission checks in the database communication layer, effectively granting any logged-in user the ability to read or modify any data the service account can access. No public exploit identified at time of analysis, but technical write-ups have been published by CERT-PL and independent researchers.