Misys FusionCapital Opics Plus is used by regional and local financial institutions to manage treasuries. FusionCapital Opics Plus contains several vulnerabilities.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2016-5653
According to the reporter, an authenticated but low privileged user may exploit a SQL Injection in the "ID" and "Branch" parameters of a search and enumerate the full database.
An authenticated attacker may be able escalate privileges to administrator, or perform full searches on the database. An unauthenticated attacker may be able decrypt SSL traffic between the client and server.
The CERT/CC is currently unaware of a practical solution to this problem.
Restrict Network Access
Thanks to Wissam Bashour for reporting this vulnerability.
This document was written by Garret Wassermann.