Beware of SQL Injection Vulnerability in TIBCO EBX Add-ons

CVECVE-2023-26217
CVSScvssV3_1: 8.8
SourceCVE-2023-26217

TIBCO EBX Add-ons, a popular data exchange tool, has been found to contain a vulnerability that allows hackers to execute malicious SQL statements on systems where it is installed.

The vulnerability exists in the Data Exchange Add-on component and can be exploited by a low privileged user with import permissions. Hackers can craft specially crafted SQL queries and import them via the network exposed EBX server interface. This allows them to manipulate databases and even extract sensitive data like user credentials.

SQL injection attacks work by inserting malicious SQL code into entry fields for execution by the backend database. In this case, the EBX add-on fails to sanitize user input, enabling the injection of rogue queries.

TIBCO Software has released patches to fix the issue in versions 4.5.17, 5.6.2 and 6.1.0 and below. Users are strongly recommended to update immediately to patch their systems. Administrators should also audit permissions and network access to restrict unauthorized data imports. Following basic security practices like regular updates and access control helps prevent such vulnerabilities from being exploited.

References