One of the SQL injections was chained with another vulnerability, an operating system command injection vulnerability to achieve arbitrary code execution on the appliance. The chained attack could enable an attacker with low privileges on the appliance to escalate their privilege to root shell access. At that point, the attacker could have full control of the appliance, and the access could be used to move laterally inside the internal network and attack internal assets and other users.

We also discovered a local file read vulnerability in one of the application’s endpoints. This could allow an attacker to read any locally accessible file on the web server through the vulnerable endpoint.

Finally, we discovered a way to bypass and evade application security controls to exploit multiple reflected cross-site scripting issues on multiple endpoints. An attacker could exploit this vulnerability by constructing a request with an injected malicious payload in the vulnerable parameters and deceive the logged-in users to visit it.

The malicious payload injected by the attacker is executed within the victim’s browser, in the context of that victim’s session. The malicious application allows the attacker to hijack the user session and redirect the victim to an attacker-controlled domain or another client-side attack. That might be in-browser keylogging or performing arbitrary actions within the context of the application.

We also discovered sensitive information disclosure in one of the application endpoints. This could allow an authenticated attacker to disclose users’ hashed passwords, which could then be recovered using a dictionary attack.