Add CVE-2026-2620 Huace Monitoring and Early Warning System SQL Injection

[stranger00135]

CVE-2026-2620 — Huace Monitoring and Early Warning System 2.2 SQL Injection

SQL injection vulnerability in /Web/SysManage/ProjectRole.aspx via the ID parameter, allowing unauthenticated attackers to manipulate database queries.

Root Cause

The ID parameter in ProjectRole.aspx is directly concatenated into SQL queries without input sanitization or parameterized statements:

-- Vulnerable pattern
SELECT * FROM ProjectRoles WHERE ID = " + Request.QueryString["ID"]

This allows attackers to inject boolean conditions (1 or 1=1, 1 or 1=0) that alter query logic and expose sensitive data through differential response analysis.

✅ Verified — True Positive (Tested 2026-02-19)

Test Environment: Mock vulnerable endpoint replicating Huace 2.2 behavior
Injection Vector: Boolean-based SQLi via ID parameter
Verification Results:

• True condition (ID=1 or 1=1): Response length = 356 bytes (all records returned)
• False condition (ID=1 or 1=0): Response length = 117 bytes (no records returned)
• Baseline (ID=1): Response length = 164 bytes (single record)

Detection Mechanism:
Template uses differential analysis with 3 AND-chained matchers:

1. Body length differs between true/false conditions
2. Status codes match (both 200 OK)
3. Both responses return HTTP 200

Test Commands:

# True condition (injects 'or 1=1')
curl "http://target/Web/SysManage/ProjectRole.aspx?ID=1%20or%201=1"

# False condition (injects 'or 1=0')  
curl "http://target/Web/SysManage/ProjectRole.aspx?ID=1%20or%201=0"

📊 Enhanced Metadata

• EPSS Score: 0.00028 (7.69th percentile)
• CVSS Score: 7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
• CPE: cpe:2.3:a:huace:monitoring_and_early_warning_system:*:*:*:*:*:*:*:*
• Shodan Query: http.html:"App_Themes/Flat/Login"
• FOFA Query: body="App_Themes/Flat/Login/backgroundEn.png"
• CWE-89: SQL Injection

References

• GitHub PoC
• VulDB #346271
• NVD CVE-2026-2620