Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Title Misys FusionCapital Opics Plus contains multiple vulnerabilities
Name VU#682704 First vendor Publication 2016-07-19
Vendor VU-CERT Last vendor Modification 2016-08-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Cvss Base Score 8.5 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#682704

Misys FusionCapital Opics Plus contains multiple vulnerabilities

Original Release date: 19 Jul 2016 | Last revised: 08 Aug 2016


Misys FusionCapital Opics Plus is used by regional and local financial institutions to manage treasuries. FusionCapital Opics Plus contains several vulnerabilities.


CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2016-5653

According to the reporter, an authenticated but low privileged user may exploit a SQL Injection in the "ID" and "Branch" parameters of a search and enumerate the full database.

CWE-280: Improper Handling of Insufficient Permissions or Privileges - CVE-2016-5654

According to the reporter, a remote authenticated attacker able to execute a man-in-the-middle attack may be able to tamper with the "xmlMessageOut" parameter of a client POST request to escalate privileges to administrator.

CWE-295: Improper Certificate Validation - CVE-2016-5655

According to the reporter, a remote unauthenticated attacker able to execute a man-in-the-middle attack may be able to present an alternate SSL certificate and therefore decrypt all traffic between the client and FusionCapital Opics Plus server.

Misys has responded to these issues with the following statement:

    Misys has analysed the reported vulnerabilities and determined that they could
    relate to a specific older version, but not for all versions, of one of our
    applications, with the matter being rectified with a user configuration change
    or non-emergency software patch.  In short, we identified that the sql
    injection vulnerability is true positive and the other two reported
    vulnerabilities are misconfigurations.  For more information, our Opics clients
    are being directed to contact their Misys Customer Advocate.


An authenticated attacker may be able escalate privileges to administrator, or perform full searches on the database. An unauthenticated attacker may be able decrypt SSL traffic between the client and server.


The CERT/CC is currently unaware of a practical solution to this problem.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Consult your firewall product's manual for more information.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
MisysAffected26 Apr 201629 Jul 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • https://www.misys.com/media/103101/fusioncapital_opics_swo.pdf
  • https://cwe.mitre.org/data/definitions/89.html
  • https://cwe.mitre.org/data/definitions/280.html
  • https://cwe.mitre.org/data/definitions/295.html


Thanks to Wissam Bashour for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-5653CVE-2016-5654CVE-2016-5655
  • Date Public:19 Jul 2016
  • Date First Published:19 Jul 2016
  • Date Last Updated:08 Aug 2016
  • Document Revision:45


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/682704

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-264 Permissions, Privileges, and Access Controls
50 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

Application 1

Alert History

If you want to see full details history, please login or register.
Date Informations
2016-08-08 17:23:42
  • Multiple Updates
2016-07-29 21:24:01
  • Multiple Updates
2016-07-22 13:36:08
  • Multiple Updates
2016-07-21 01:02:02
  • Multiple Updates
2016-07-20 12:02:47
  • Multiple Updates
2016-07-19 21:37:31
  • First insertion