NLB mKlik Android App 3.3.12 SQL Injection Vulnerability (ZSL-2023-5797)

Key Information: Vulnerability ID: ZSL-2023-5797 Vulnerability Type: SQL Injection Affected Version: 3.3.12 Risk Level: 3/5 Discovery Date: 2022-12-23 Reporter: Neurogenesis () Vulnerability Description: Input data is not properly sanitized before being returned to the user or used in SQL queries, which may lead to SQL injection attacks. POC Details: File Name: nblmklik_sql.txt Reference Links: 1. https://play.google.com/store/apps/details?id=hr.asseco.android.jimba.tutunksamk.production 2. https://packetstormsecurity.com/files/175113/NLB-mKlik-Makedonija-3.3.12-SQL-Injection.html 3. https://nlin.mk/3a_Банката/3a_медиумите/Соопштенија_за_јавност.aspx 4. https://cxsecurity.com/issue/WLB-2023100040 Change Log: 2023-10-14: Initial release 2023-10-17: Added vendor status and reference links [2] and [3] 2023-10-18: Added reference link [4] Vendor Interaction Record: 2022-12-23: Vulnerability discovered Multiple follow-up communications with the vendor, including providing additional details, requesting updates, and confirmation. 2023-01-16: Vendor responded stating that reports of vulnerabilities in the company’s mKlik application online are untrue. They mentioned ongoing improvements to service functionality and information security, and that the reported vulnerability was immediately corrected upon detection. They requested to share this notice with the reporter to ensure transparent and fair public disclosure.

Goal Reached Thanks to every supporter — we hit 100%!

NLB mKlik Android App 3.3.12 SQL Injection Vulnerability (ZSL-2023-5797)