7.5
CVE-2011-5072
- EPSS 0.32%
- Veröffentlicht 29.01.2012 11:55:02
- Zuletzt bearbeitet 11.04.2025 00:51:21
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginMultiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to execute arbitrary SQL commands via the (1) start parameter to portal/kb.php; (2) contractid parameter to contract_add_service.php; (3) id parameter to edit_escalation_path.php; (4) unlock, (5) lock, or (6) selected parameter to holding_queue.php; inc parameter in a report action to (7) report_customers.php or (8) report_incidents_by_site.php; (9) start parameter to search.php; or (10) sites parameter to transactions.php.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Sitracker ≫ Support Incident Tracker Version <= 3.64
Sitracker ≫ Support Incident Tracker Version3.6
Sitracker ≫ Support Incident Tracker Version3.21
Sitracker ≫ Support Incident Tracker Version3.22
Sitracker ≫ Support Incident Tracker Version3.22pl1
Sitracker ≫ Support Incident Tracker Version3.23
Sitracker ≫ Support Incident Tracker Version3.24
Sitracker ≫ Support Incident Tracker Version3.24 Updatebeta-2
Sitracker ≫ Support Incident Tracker Version3.30
Sitracker ≫ Support Incident Tracker Version3.30 Updatebeta2
Sitracker ≫ Support Incident Tracker Version3.31
Sitracker ≫ Support Incident Tracker Version3.32
Sitracker ≫ Support Incident Tracker Version3.33
Sitracker ≫ Support Incident Tracker Version3.35
Sitracker ≫ Support Incident Tracker Version3.35 Updatebeta1
Sitracker ≫ Support Incident Tracker Version3.36
Sitracker ≫ Support Incident Tracker Version3.40
Sitracker ≫ Support Incident Tracker Version3.40 Updatebeta1
Sitracker ≫ Support Incident Tracker Version3.41
Sitracker ≫ Support Incident Tracker Version3.45
Sitracker ≫ Support Incident Tracker Version3.45 Updatebeta1
Sitracker ≫ Support Incident Tracker Version3.50
Sitracker ≫ Support Incident Tracker Version3.50 Updatebeta1
Sitracker ≫ Support Incident Tracker Version3.51
Sitracker ≫ Support Incident Tracker Version3.60
Sitracker ≫ Support Incident Tracker Version3.61
Sitracker ≫ Support Incident Tracker Version3.62
Sitracker ≫ Support Incident Tracker Version3.63
Sitracker ≫ Support Incident Tracker Version3.63 Updatebeta1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.32% | 0.543 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.