Description
A vulnerability was found in Tiobon Employee Self-Service System up to 7.2. Affected by this vulnerability is an unknown functionality of the file /Blog/BlogSearch.aspx of the component Login Endpoint. The manipulation of the argument Keyword results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-07
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Tiobon Employee Self-Service System through the /Blog/BlogSearch.aspx login endpoint. Manipulating the Keyword argument allows an attacker to inject arbitrary SQL statements into the backend database. This remote SQL injection could enable data theft, unauthorized modification, or denial of service by compromising the database integrity or confidentiality.

Affected Systems

Tiobon Employee Self-Service System versions up to 7.2 are affected. No specific hotfix is referenced, and the vendor has not released a public patch for this issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the vulnerability can be exploited remotely using publicly available exploit code. With no EPSS data and the vulnerability not listed in CISA's KEV catalog, the timing and frequency of exploitation remain uncertain. However, because the entry point is accessible over the network and the exploit is publicly known, the risk to systems with exposed bundles is significant and warrants immediate remediation.

Generated by OpenCVE AI on June 7, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tiobon Employee Self-Service System to a version that includes the SQL injection fix for BlogSearch.aspx (if available).
  • Implement server‑side input validation or convert the Keyword parameter to a parameterized query to prevent injection.
  • Restrict access to /Blog/BlogSearch.aspx by using a web application firewall or IP‑based access controls to limit exposure to trusted users only.

Generated by OpenCVE AI on June 7, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Tiobon Employee Self-Service System up to 7.2. Affected by this vulnerability is an unknown functionality of the file /Blog/BlogSearch.aspx of the component Login Endpoint. The manipulation of the argument Keyword results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Tiobon Employee Self-Service System Login Endpoint BlogSearch.aspx sql injection
First Time appeared Tiobon
Tiobon employee Self-service System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:tiobon:employee_self-service_system:*:*:*:*:*:*:*:*
Vendors & Products Tiobon
Tiobon employee Self-service System
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tiobon Employee Self-service System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-07T03:45:07.431Z

Reserved: 2026-06-06T10:40:55.158Z

Link: CVE-2026-11453

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-07T04:16:30.147

Modified: 2026-06-07T04:16:30.147

Link: CVE-2026-11453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T05:30:05Z

Weaknesses