AlienVault OSSIM <= 4.3 SQL Injection

Posted on 14 October 2013

From: Ding Yu-Chi <dingyuchi gmail com> To: moderators osvdb org Date: Wed, 2 Oct 2013 23:28:51 +0800 Subject: [OSVDB Mods] AlienVault OSSIM 4.3 SQL Injection Hi OSVDB Team, Our teammate Yu-Chi Ding discovered AlienVault OSSIM vulnerability, Details: CVE-2013-5967 Name: Yu-Chi, Ding Organization: DEVCORE Email: dingyuchi@gmail.com Software Name: OSSIM Download URL: http://www.alienvault.com/open-threat-exchange/projects Vendor Name: AlienVault, Inc. Vendor Website: http://www.alienvault.com/ Type of vulnerability: SQL Injection Affected version: <= 4.3 Vulnerability Description: Multiple SQL injection vulnerabilities in AlienVault Open Source Security Information Management (OSSIM) 4.3, which allow remote attackers to execute arbitrary SQL commands via the "date_from" parameter in a query action. The following are the URLs: /RadarReport/radar-iso27001-potential.php?date_from=%Inject_Here% /RadarReport/radar-iso27001-A12IS_acquisition-pot.php?date_from=%Inject_Here% /RadarReport/radar-iso27001-A11AccessControl-pot.php?date_from=%Inject_Here% /RadarReport/radar-iso27001-A10Com_OP_Mgnt-pot.php?date_from=%Inject_Here% /RadarReport/radar-pci-potential.php?date_from=%Inject_Here% Thanks.

TOP

Malware :

Last 20

Exploits :

Last 20

AlienVault OSSIM &lt;= 4.3 SQL Injection

Malware :

Exploits :

AlienVault OSSIM <= 4.3 SQL Injection