Vulnerability Note VU#682704
Misys FusionCapital Opics Plus contains multiple vulnerabilities
Misys FusionCapital Opics Plus is used by regional and local financial institutions to manage treasuries. FusionCapital Opics Plus contains several vulnerabilities.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2016-5653
According to the reporter, an authenticated but low privileged user may exploit a SQL Injection in the "ID" and "Branch" parameters of a search and enumerate the full database.
relate to a specific older version, but not for all versions, of one of our
applications, with the matter being rectified with a user configuration change
or non-emergency software patch. In short, we identified that the sql
injection vulnerability is true positive and the other two reported
vulnerabilities are misconfigurations. For more information, our Opics clients
are being directed to contact their Misys Customer Advocate.
An authenticated attacker may be able escalate privileges to administrator, or perform full searches on the database. An unauthenticated attacker may be able decrypt SSL traffic between the client and server.
The CERT/CC is currently unaware of a practical solution to this problem.
Restrict Network Access
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Misys||Affected||26 Apr 2016||29 Jul 2016|
CVSS Metrics (Learn More)
Thanks to Wissam Bashour for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-5653 CVE-2016-5654 CVE-2016-5655
- Date Public: 19 Jul 2016
- Date First Published: 19 Jul 2016
- Date Last Updated: 08 Aug 2016
- Document Revision: 45
If you have feedback, comments, or additional information about this vulnerability, please send us email.