CVE-2012-10047
CriticalSummary
Cyclope Employee Surveillance Solution versions 6.x are vulnerable to a SQL injection flaw in its login mechanism. The username parameter in the auth-login POST request is not properly sanitized, allowing attackers to inject arbitrary SQL statements.
Risk Assessment
Exploitation of this vulnerability can lead to writing and executing a malicious PHP file on disk, resulting in remote code execution under the SYSTEM user context.
Recommendation
It is recommended to update to the latest version of the software that fixes this vulnerability and to implement additional security measures such as input data filtering.
Original NVD description (English source)
Cyclope Employee Surveillance Solution versions 6.x are vulnerable to a SQL injection flaw in its login mechanism. The username parameter in the auth-login POST request is not properly sanitized, allowing attackers to inject arbitrary SQL statements. This can be leveraged to write and execute a malicious PHP file on disk, resulting in remote code execution under the SYSTEM user context.

