BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-10-22T21:25:55

Updated: 2024-08-04T03:30:37.966Z

Reserved: 2021-10-11T00:00:00

Link: CVE-2021-42258

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-10-22T22:15:07.907

Modified: 2024-11-21T06:27:28.280

Link: CVE-2021-42258

cve-icon Redhat

No data.