CVE-2010-0112

EPSS 4.62%
Published 28.10.2010 20:00:02
Last modified 11.04.2025 00:51:21
Source cve@mitre.org
Teams watchlist Login
Open Login

Multiple SQL injection vulnerabilities in the Administrative Interface in the IIS extension in Symantec IM Manager before 8.4.16 allow remote attackers to execute arbitrary SQL commands via (1) the rdReport parameter to rdpageimlogic.aspx, related to the sGetDefinition function in rdServer.dll, and SQL statements contained within a certain report file; (2) unspecified parameters in a DetailReportGroup (aka DetailReportGroup.lgx) action to rdpageimlogic.aspx; the (3) selclause, (4) whereTrendTimeClause, (5) TrendTypeForReport, (6) whereProtocolClause, or (7) groupClause parameter in a SummaryReportGroup (aka SummaryReportGroup.lgx) action to rdpageimlogic.aspx; the (8) loginTimeStamp, (9) dbo, (10) dateDiffParam, or (11) whereClause parameter in a LoggedInUsers (aka LoggedInUSers.lgx) action to (a) rdpageimlogic.aspx or (b) rdPage.aspx; the (12) selclause, (13) whereTrendTimeClause, (14) TrendTypeForReport, (15) whereProtocolClause, or (16) groupClause parameter to rdpageimlogic.aspx; (17) the groupList parameter to IMAdminReportTrendFormRun.asp; or (18) the email parameter to IMAdminScheduleReport.asp.

Affected products Warnungen 0 Metrics 2 CWE 1 References 19

Data is provided by the National Vulnerability Database (NVD)

Symantec ≫ Im Manager Version <= 8.4.15

Symantec ≫ Im Manager Version6.0

Symantec ≫ Im Manager Version6.5

Symantec ≫ Im Manager Version7.0

Symantec ≫ Im Manager Version7.5

Symantec ≫ Im Manager Version8.3

Symantec ≫ Im Manager Version8.4.0

Symantec ≫ Im Manager Version8.4.1

Symantec ≫ Im Manager Version8.4.2

Symantec ≫ Im Manager Version8.4.5

Symantec ≫ Im Manager Version8.4.6

Symantec ≫ Im Manager Version8.4.7

Symantec ≫ Im Manager Version8.4.8

Symantec ≫ Im Manager Version8.4.9

Symantec ≫ Im Manager Version8.4.10

Symantec ≫ Im Manager Version8.4.11

Symantec ≫ Im Manager Version8.4.12

Symantec ≫ Im Manager Version8.4.13

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	4.62%	0.882

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

http://osvdb.org/68901

http://osvdb.org/68902

http://osvdb.org/68903

http://secunia.com/advisories/41959

Vendor Advisory

http://www.securityfocus.com/bid/44299

http://www.securitytracker.com/id?1024648

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101027_01

http://www.vupen.com/english/advisories/2010/2789

Vendor Advisory

http://www.zerodayinitiative.com/advisories/ZDI-10-220/

http://www.zerodayinitiative.com/advisories/ZDI-10-221/