This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: SQL Injection (SQLi) in SportsNET v4.0.1. π **Location**: `/conexiones/ax/openTracExt/` page, specifically the `categoria` parameter.β¦
π’ **Vendor**: SportsNET. π¦ **Product**: SportsNET Sports Event Application. π **Affected Version**: **4.0.1** specifically. Check your deployment version immediately!
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Capabilities**: Full Database Control. ποΈ **Read**: Extract all sensitive data. βοΈ **Write**: Update records. ποΈ **Delete**: Erase critical information. This is a **Critical** impact level (CVSS High).
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Exploitation Threshold**: **LOW**. π **Network**: Attack Vector is Network (AV:N). π **Auth**: Privileges Required are None (PR:N). ποΈ **UI**: User Interaction is None (UI:N).β¦
π **Self-Check**: Scan for the URL path `/conexiones/ax/openTracExt/`. Test the `categoria` parameter with standard SQLi payloads (e.g., `' OR 1=1--`). Look for error messages or unexpected data changes in the response.
Q8Is it fixed officially? (Patch/Mitigation)
π§ **Official Fix**: The data does not list a specific patch version. However, the reference link from **INCIBE** suggests an advisory exists.β¦
π₯ **Urgency**: **CRITICAL**. π **Priority**: **P0**. With CVSS High severity, no authentication required, and full database impact, this must be patched **immediately**. Do not wait for a PoC to appear!