Due to a vulnerability that allowed the injection of
malicious code on several websites of the Generalitat de Catalunya have been
seen exposed more than 5.000 records of personal data among which
include emails and passwords.
Four subdomains of the Generalitat have been affected
Because of this vulnerability, This has been confirmed by the cybersecurity researcher
Touseef Gul. As confirmed by the researcher, the vulnerability consists of
SQL injection.
Of these four vulnerable subdomains of the Generalitat
One of them has been exposed to a database with 5.597 records of
data, in addition to emails and passwords, have been affected
Other data such as schools, this has been confirmed by the Generalitat.
The Generalitat de Catalunya has assured that they have been exposed
just a few 180 users and claim in a statement that none of the websites are listed
as a critical system, therefore, none of them contained any data
critical or sensitive.
The Catalan institution has indicated in the statement that it does not
have any evidence that the vulnerability has been exploited in any
of your websites, although from the Generalitat they report that there is an investigation
open to determine whether or not there has been a holding which may have led to
a third-party data extraction.
Touseef has reported that the vulnerability was discovered
two weeks ago and that from the day 19 November three of the pages have
no longer accessible and under maintenance, as confirmed by the
Generalitat.