RCE attacks possible with Gentoo Soko SQL flaws

Attackers could leverage a pair of already addressed SQL injection flaws in Gentoo Soko, a Go module deployed on the Gentoo Linux infrastructure, to facilitate remote code execution attacks that could lead to sensitive data exposure, reports The Hacker News. Such vulnerabilities, tracked as CVE-2023-28424, stemmed from a database misconfiguration and was not prevented by an Object-Relational Mapping library and prepared statements, according to SonarSource researcher Thomas Chauchefoin. "The SQL injections were exploitable and had the ability to disclose the PostgreSQL server's version and execute arbitrary commands on the system," said SonarSource, which recently identified another cross-site scripting flaw impacting the Odoo open-source business suite that could be leveraged to enable impersonation attacks and data exfiltration activities. Other open-source software, including OpenEMR and Pretalx, were also discovered earlier this year to be affected with security flaws that could allow remote execution of arbitrary code.