Security researchers from ERPScan discovered a high severity vulnerability in MICROS point-of-sale (POS) terminals that could allow hackers to read sensitive data.
The directory traversal vulnerability (CVE-2018-2636) is in Oracle’s MICROS EGateway Application Service that if left unpatched, could allow a hacker to gain access to vulnerable URL and steal sensitive files from the MICROS workstation.
“The attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise,” ERPScan stated in the blog post.
The vulnerability was discovered back in September 2017 and fixed by Oracle in recent January critical patch update.