Title: Multiple vulnerabilities in Navetti PricePoint Product: Navetti PricePoint Vulnerable Version: 4.6.0.0 Fixed Version: 4.7.0.0 or higher CVE Number: Not specified Impact: High/Critical Homepage: Navetti Website Date Found: 2016-07-18 Discovered By: W. Schober (Office Vienna) Severity: High/Critical Vulnerabilities Overview 1. SQL Injection (Blind boolean based) - Attackers can execute SQL injection attacks with various privilege levels. 2. Multiple Persistent Cross-Site Scripting Vulnerabilities - Low and high privileged users can inject malicious JavaScript payloads persistently. 3. Multiple Reflected Cross-Site Scripting Vulnerabilities - The application is vulnerable to reflected XSS in error messages and file uploads. 4. Cross-Site Request Forgery (CSRF) - The application lacks CSRF protection, allowing attackers to execute actions with any user's privileges. Vulnerable and Tested Version Version 4.6.0.0 was tested and found vulnerable. Solution Update to the latest version, 4.7.0.0 or higher, which fixes all identified vulnerabilities.