SMSEagle Team has fixed an SQL-injection in SMPP component of the software. The component operates with its own dedicated database, separate from the main software’s database. This isolation limits the scope of the vulnerability only to the SMPP server’s operations. This was discovered and responsibly disclosed to SMSEagle Team by an external security researcher.
SMSEagle Team would like to thank Vincent Salvadori for responsibly disclosing the issue to SMSEagle.
All device models with software version < 6.11 are affected by the vulnerability. The issue has been resolved in software versions 6.11 and higher.
Update your SMSEagle software to version 6.11 or higher.
You can perform the update via web-GUI > Settings > Updates > “Check for software update now”. For offline software update packages, contact our Support Center.
A SQL injection vulnerability has been identified in the SMPP server component of the software, specifically affecting the handling of certain parameters within the server’s database interactions. The vulnerability is isolated to the SMPP server, which operates with its own dedicated database, separate from the main software’s database. This isolation limits the scope of the vulnerability to the SMPP server’s operations. The vulnerability arises from improper sanitization of user input in the SMPP server’s scripts.
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.3
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Finder: Vincent Salvadori
SMSEagle continuously monitors and reports cybersecurity threats, enabling our customers to proactively take necessary mitigation steps to maintain the security of their devices. To assist you in managing and mitigating security risks SMSEagle offers product advisories.
