SQL Injection in GroupSession Free Edition

MEDIUM (5.4) No Patch (2 days)
cwe-89aenrichauthentication-bypassgroupsessionhr-softwaresql-injection

Threat Intelligence

Low Risk
EPSS Score: 0.03% chance of exploitation (percentile: 6%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

GroupSession is a free edition of a web-based HR management software used by some organizations for employee data storage and management. This vulnerability allows an authenticated user to inject malicious SQL code into the database, potentially leading to unauthorized access to sensitive information.

Am I affected?

You're affected if you use SQL Injection vulnerability exists. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

Affected Products

aEnrich / GroupSession Free Edition

How to fix

To fix this vulnerability, upgrade to a patched version of GroupSession Free Edition (version 5.3.0 or later). If an immediate upgrade isn't possible:

  1. Restrict network access to your GroupSession instance (firewall it from the public internet).
  2. Audit admin account activity for suspicious access patterns.
  3. Monitor for unauthorized token creation.

For more information on patching and mitigations, please contact GroupSession directly.

References