CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2021-42258

BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xp_cmdshell.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.938

EPSS Ranking 99.9%

CVSS Severity

CVSS v3 Score 9.8

CVSS v2 Score 6.8

Proposed Action

BQE BillQuick Web Suite contains an SQL injection vulnerability when accessing the username parameter that may allow for unauthenticated, remote code execution.

Ransomware Campaign

Known

References

https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware
https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware

Products affected by CVE-2021-42258

Bqe » Billquick Web Suite » Version: Any

cpe:2.3:a:bqe:billquick_web_suite:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2021-42258

Products

Pricing

Contact Us