BillQuick Web Suite SQL injection (CVE-2021-42258)
Description
BillQuick Web Suite contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries by injecting malicious SQL code. These vulnerabilities exist due to improper input validation and can be exploited without authentication. Given that BillQuick is widely used billing and time-tracking software in professional services firms, successful exploitation poses significant risk to sensitive financial and client data.
Remediation
Immediately upgrade BillQuick Web Suite to the latest patched version that addresses CVE-2021-42258. Contact BQE Software (the vendor) directly to obtain the security update. As interim mitigation measures until patching is complete: (1) restrict network access to the BillQuick Web Suite application to trusted IP addresses only, (2) implement a Web Application Firewall (WAF) with SQL injection detection rules, (3) monitor application logs for suspicious database queries or authentication attempts, and (4) ensure database accounts used by the application have minimal necessary privileges. After patching, conduct a security assessment to verify no compromise occurred and review all user accounts for unauthorized access.