CVE-2015-6004 Information

Description

Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

http://twitter.com/ipswitch/statuses/677558623229317121 http://www.securityfocus.com/bid/79506 http://www.securitytracker.com/id/1034833 https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems https://www.kb.cert.org/vuls/id/176160

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

6.5