CVE-2016-4350 Information
Description
Multiple SQL injection vulnerabilities in the Web Services web server in SolarWinds Storage Resource Monitor (SRM) Profiler (formerly Storage Manager (STM)) before 6.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) ScriptSchedule parameter in the ScriptServlet servlet; the (2) winEventId or (3) winEventLog parameter in the WindowsEventLogsServlet servlet; the (4) processOS parameter in the ProcessesServlet servlet; the (5) group (6) groupName or (7) clientName parameter in the BackupExceptionsServlet servlet; the (8) valDB or (9) valFS parameter in the BackupAssociationServlet servlet; the (10) orderBy or (11) orderDir parameter in the HostStorageServlet servlet; the (12) fileName (13) sortField or (14) sortDirection parameter in the DuplicateFilesServlet servlet; the (15) orderFld or (16) orderDir parameter in the QuantumMonitorServlet servlet; the (17) exitCode parameter in the NbuErrorMessageServlet servlet; the (18) udfName (19) displayName (20) udfDescription (21) udfDataValue (22) udfSectionName or (23) udfId parameter in the UserDefinedFieldConfigServlet servlet; the (24) sortField or (25) sortDirection parameter in the XiotechMonitorServlet servlet; the (26) sortField or (27) sortDirection parameter in the BexDriveUsageSummaryServlet servlet; the (28) state parameter in the ScriptServlet servlet; the (29) assignedNames parameter in the FileActionAssignmentServlet servlet; the (30) winEventSource parameter in the WindowsEventLogsServlet servlet; or the (31) name (32) ipOne (33) ipTwo or (34) ipThree parameter in the XiotechMonitorServlet servlet.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/releaseNotes.htm http://www.zerodayinitiative.com/advisories/ZDI-16-249 http://www.zerodayinitiative.com/advisories/ZDI-16-250 http://www.zerodayinitiative.com/advisories/ZDI-16-251 http://www.zerodayinitiative.com/advisories/ZDI-16-252 http://www.zerodayinitiative.com/advisories/ZDI-16-253 http://www.zerodayinitiative.com/advisories/ZDI-16-254 http://www.zerodayinitiative.com/advisories/ZDI-16-255 http://www.zerodayinitiative.com/advisories/ZDI-16-256 http://www.zerodayinitiative.com/advisories/ZDI-16-257 http://www.zerodayinitiative.com/advisories/ZDI-16-258 http://www.zerodayinitiative.com/advisories/ZDI-16-259 http://www.zerodayinitiative.com/advisories/ZDI-16-260 http://www.zerodayinitiative.com/advisories/ZDI-16-261 http://www.zerodayinitiative.com/advisories/ZDI-16-262 http://www.zerodayinitiative.com/advisories/ZDI-16-263 http://www.zerodayinitiative.com/advisories/ZDI-16-264 http://www.zerodayinitiative.com/advisories/ZDI-16-265 http://www.zerodayinitiative.com/advisories/ZDI-16-266 http://www.zerodayinitiative.com/advisories/ZDI-16-267 http://www.zerodayinitiative.com/advisories/ZDI-16-268 http://www.zerodayinitiative.com/advisories/ZDI-16-269 http://www.zerodayinitiative.com/advisories/ZDI-16-270 http://www.zerodayinitiative.com/advisories/ZDI-16-271 http://www.zerodayinitiative.com/advisories/ZDI-16-272
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
9.8
Share on: