Researchers at SEC Consult have discovered several potentially serious vulnerabilities in a popular pricing solution from Sweden-based company Navetti. The vendor has released a software update that patches the flaws.
Navetti PricePoint is a piece of software designed for controlling, managing and measuring all aspects of an organization’s pricing. According to the company, its product is used by several major organizations, including ABB, Husqvarna, Scania and Electrolux.
SEC Consult has conducted a quick security check of the Navetti PricePoint product and identified four types of vulnerabilities, including SQL injection, stored and reflected cross-site scripting (XSS), and cross-site request forgery (CSRF).
The security firm told SecurityWeek that the software is often accessible from the Internet, allowing attackers to remotely exploit all the vulnerabilities.
The SQL injection flaw affects search functionality, and it allows a low-privileged attacker to inject arbitrary SQL commands and gain access to the content of the application database.
Both the SQL injection and stored XSS vulnerabilities require authentication, but SEC Consult said even the lowest access rights are sufficient.
The CSRF vulnerability, caused by the lack of CSRF tokens or nonces, can be exploited by getting the targeted user to access a specially crafted web page. An attacker can leverage the flaw to perform various actions on behalf of the victim, including to add or delete users, change user privileges, and modify application settings.
The reflected XSS bugs affect the filename fields of file upload dialog boxes and the code used to generate error messages within the PricePoint application. These flaws can be exploited by getting the targeted user to click on a malicious link.
The vulnerabilities were reported to Navetti in late July 2016 and they were patched on October 1 with the release of PricePoint 22.214.171.124. The vendor told SEC Consult that this version also brings other security improvements to its product.
*Updated to clarify that the patch is included in version 126.96.36.199, not 4.7