Researchers have discovered several SQL injection vulnerabilities in the websites of the European Parliament and the European Commission — both hosted on the official domain of the European Union (europa.eu).
The flaws were identified by experts from Government Laboratory, a project of Germany-based security firm Vulnerability Lab that focuses on finding zero-day vulnerabilities in government web applications and network services.
The security holes, discovered by Vulnerability Lab CEO Benjamin Kunz Mejri and researcher Marco Onorati, were reported to CERT-EU in May and they were plugged within 1-2 weeks.
“We reported the bugs by the responsible disclosure program and got acknowledged for the critical vulnerabilities in a fair way by the CERT-EU team,” Kunz Mejri, who was listed in CERT-EU’s Hall of Fame, told SecurityWeek.
The SQL injection flaws were found in various sections of the European Commission’s website, including the ones dedicated to the INSPIRE directive (inspire.ec.europa.eu), growth (ec.europa.eu/growth), and employment, social affairs and inclusion (ec.europa.eu/social). In the case of the European Parliament, a vulnerability existed on the europarl.europa.eu/sides/ webpage.
According to the researchers, the flaws could have been exploited by remote, unauthenticated attackers to gain access to European Commission and European Parliament databases containing potentially sensitive user data.
However, Kunz Mejri believes it would not have been easy for an attacker to exploit the security holes, especially without being detected by cybersecurity systems. CERT-EU has not responded to SecurityWeek’s request for comment.
The Government Laboratory research team says it has found vulnerabilities in the websites of several government organizations, including the U.S. Department of Defense and various European agencies. The details will be disclosed after the flaws are patched.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
Latest News
- Consolidate Vendors and Products for Better Security
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
