Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities by PRIMION DIGITEK

    CVE-2026-1523 (GCVE-0-2026-1523)

    Vulnerability from nvd – Published: 2026-02-05 13:16 – Updated: 2026-02-05 14:29
    VLAI
    Title
    Path Traversal in Digitek from Grupo Azkoyen
    Summary
    Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Date Public
    2026-02-05 11:00
    Credits
    Óscar Atienza Vendrell
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1523",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-05T14:25:31.077276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-05T14:29:09.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Digitek ADT1100",
              "vendor": "PRIMION DIGITEK",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Digitek DT950",
              "vendor": "PRIMION DIGITEK",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:primion_digitek:digitek_adt1100:all_versions:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:primion_digitek:digitek_dt950:all_versions:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "\u00d3scar Atienza Vendrell"
            }
          ],
          "datePublic": "2026-02-05T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server\u0027s file system, thet is, \u0027http://\u0026lt;host\u0026gt;/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd\u0027. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise."
                }
              ],
              "value": "Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server\u0027s file system, thet is, \u0027http://\u003chost\u003e/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd\u0027. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-05T13:16:30.583Z",
            "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            "shortName": "INCIBE"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-digitek-grupo-azkoyen"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerability has been fixed in the latest version of the affected products."
                }
              ],
              "value": "The vulnerability has been fixed in the latest version of the affected products."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Path Traversal in Digitek from Grupo Azkoyen",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "assignerShortName": "INCIBE",
        "cveId": "CVE-2026-1523",
        "datePublished": "2026-02-05T13:16:30.583Z",
        "dateReserved": "2026-01-28T10:54:43.233Z",
        "dateUpdated": "2026-02-05T14:29:09.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-3604 (GCVE-0-2021-3604)

    Vulnerability from nvd – Published: 2021-06-18 14:14 – Updated: 2024-09-16 23:06
    VLAI
    Title
    Primion-Digitek Secure 8 SQL injection vulnerability
    Summary
    Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
    CWE
    • CWE 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Date Public
    2021-06-18 00:00
    Credits
    Ander Martínez of Titanium Industrial Security.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:08.315Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Secure 8 (Evalos)",
              "vendor": "Primion Digitek",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.1.55"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Ander Mart\u00ednez of Titanium Industrial Security."
            }
          ],
          "datePublic": "2021-06-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE 89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-18T14:14:47.000Z",
            "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            "shortName": "INCIBE"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5."
            }
          ],
          "source": {
            "advisory": "INCIBE-2021-0243",
            "discovery": "EXTERNAL"
          },
          "title": "Primion-Digitek Secure 8 SQL injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-coordination@incibe.es",
              "DATE_PUBLIC": "2021-06-18T08:00:00.000Z",
              "ID": "CVE-2021-3604",
              "STATE": "PUBLIC",
              "TITLE": "Primion-Digitek Secure 8 SQL injection vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Secure 8 (Evalos)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "1.0.1.55",
                                "version_value": "1.0.1.55"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Primion Digitek"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Ander Mart\u00ednez of Titanium Industrial Security."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database."
                }
              ]
            },
            "exploit": [
              {
                "lang": "en",
                "value": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
              }
            ],
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE 89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability",
                  "refsource": "CONFIRM",
                  "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability"
                },
                {
                  "name": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html",
                  "refsource": "CONFIRM",
                  "url": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5."
              }
            ],
            "source": {
              "advisory": "INCIBE-2021-0243",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "assignerShortName": "INCIBE",
        "cveId": "CVE-2021-3604",
        "datePublished": "2021-06-18T14:14:47.260Z",
        "dateReserved": "2021-06-15T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:06:31.070Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-1523 (GCVE-0-2026-1523)

    Vulnerability from cvelistv5 – Published: 2026-02-05 13:16 – Updated: 2026-02-05 14:29
    VLAI
    Title
    Path Traversal in Digitek from Grupo Azkoyen
    Summary
    Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server's file system, thet is, 'http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd'. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Date Public
    2026-02-05 11:00
    Credits
    Óscar Atienza Vendrell
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1523",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-05T14:25:31.077276Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-05T14:29:09.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Digitek ADT1100",
              "vendor": "PRIMION DIGITEK",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "Digitek DT950",
              "vendor": "PRIMION DIGITEK",
              "versions": [
                {
                  "status": "affected",
                  "version": "all versions"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:primion_digitek:digitek_adt1100:all_versions:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                },
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:primion_digitek:digitek_dt950:all_versions:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ],
              "operator": "OR"
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "\u00d3scar Atienza Vendrell"
            }
          ],
          "datePublic": "2026-02-05T11:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server\u0027s file system, thet is, \u0027http://\u0026lt;host\u0026gt;/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd\u0027. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise."
                }
              ],
              "value": "Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server\u0027s file system, thet is, \u0027http://\u003chost\u003e/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd\u0027. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-05T13:16:30.583Z",
            "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            "shortName": "INCIBE"
          },
          "references": [
            {
              "tags": [
                "patch"
              ],
              "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-digitek-grupo-azkoyen"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The vulnerability has been fixed in the latest version of the affected products."
                }
              ],
              "value": "The vulnerability has been fixed in the latest version of the affected products."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Path Traversal in Digitek from Grupo Azkoyen",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "assignerShortName": "INCIBE",
        "cveId": "CVE-2026-1523",
        "datePublished": "2026-02-05T13:16:30.583Z",
        "dateReserved": "2026-01-28T10:54:43.233Z",
        "dateUpdated": "2026-02-05T14:29:09.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-3604 (GCVE-0-2021-3604)

    Vulnerability from cvelistv5 – Published: 2021-06-18 14:14 – Updated: 2024-09-16 23:06
    VLAI
    Title
    Primion-Digitek Secure 8 SQL injection vulnerability
    Summary
    Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
    CWE
    • CWE 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Date Public
    2021-06-18 00:00
    Credits
    Ander Martínez of Titanium Industrial Security.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:01:08.315Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Secure 8 (Evalos)",
              "vendor": "Primion Digitek",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.1.55"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Ander Mart\u00ednez of Titanium Industrial Security."
            }
          ],
          "datePublic": "2021-06-18T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE 89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-06-18T14:14:47.000Z",
            "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
            "shortName": "INCIBE"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5."
            }
          ],
          "source": {
            "advisory": "INCIBE-2021-0243",
            "discovery": "EXTERNAL"
          },
          "title": "Primion-Digitek Secure 8 SQL injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-coordination@incibe.es",
              "DATE_PUBLIC": "2021-06-18T08:00:00.000Z",
              "ID": "CVE-2021-3604",
              "STATE": "PUBLIC",
              "TITLE": "Primion-Digitek Secure 8 SQL injection vulnerability"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Secure 8 (Evalos)",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "1.0.1.55",
                                "version_value": "1.0.1.55"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Primion Digitek"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Ander Mart\u00ednez of Titanium Industrial Security."
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database."
                }
              ]
            },
            "exploit": [
              {
                "lang": "en",
                "value": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
              }
            ],
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE 89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability",
                  "refsource": "CONFIRM",
                  "url": "https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability"
                },
                {
                  "name": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html",
                  "refsource": "CONFIRM",
                  "url": "http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "This vulnerability has been solved by Primion-Digitek in Evalos8 3.3.5."
              }
            ],
            "source": {
              "advisory": "INCIBE-2021-0243",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "assignerShortName": "INCIBE",
        "cveId": "CVE-2021-3604",
        "datePublished": "2021-06-18T14:14:47.260Z",
        "dateReserved": "2021-06-15T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:06:31.070Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }