6.5

CVE-2012-2171

SQL injection vulnerability in ModuleServlet.do in the Storage Manager Profiler in IBM System Storage DS Storage Manager before 10.83.xx.18 on DS Series devices allows remote authenticated users to execute arbitrary SQL commands via the selectedModuleOnly parameter in a state_viewmodulelog action to the ModuleServlet URI.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IbmDs Storage Manager Host Software Version10.60.x5.14
IbmDs4100
IbmDs4100 Version1724
IbmDs4200 Version1814
IbmDs4300 Version1722
IbmDs4400 Version1742
IbmDs4500 Version1742
IbmDs4700 Version1814
IbmDs4800 Version1815
IbmSystem Storage Ds3200 Version1726
IbmSystem Storage Ds3300 Version1726
IbmSystem Storage Ds3400 Version1726
IbmSystem Storage Ds3512 Version1746
IbmSystem Storage Ds3524 Version1746
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.98% 0.746
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.