Vulnerabilities in Sparx Systems products

CERT Polska published a coordinated disclosure for five critical vulnerabilities in Sparx Systems products (Pro Cloud Server and Enterprise Architect) including broken access control and SQL execution as low-privileged users, an authentication bypass allowing unauthenticated SQL execution, client-side authentication weaknesses enabling impersonation, a race condition that can lead to remote code execution by creating and executing a malicious PHP file, and a malformed-SQL-induced denial-of-service. Confirmed vulnerable versions include Pro Cloud Server ≤ 6.1 (build 167) and Enterprise Architect ≤ 17.1; the vendor was notified and credited the reporter.