Summary
This host is running OCS Inventory NG and is prone to multiple SQL Injection vulnerabilities.
Impact
Successful exploitation will allow attacker to inject arbitrary SQL code and obtain sensitive information about system configurations and softwares on the network.
Impact Level: System
Solution
Upgrade to version 1.02.1
http://www.ocsinventory-ng.org/index.php?page=downloads
*****
NOTE: Ignore this warning if the application is upgraded to version 1.02.1 *****
Insight
The user supplied input passedd into 'N', 'DL', 'O', 'v' parameters in download.php and 'systemid' parameter in group_show.php file is not sanitised before being used in an SQL query.
Affected
OCS Inventory NG version 1.02
References
Severity
Classification
-
CVE CVE-2009-3040 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
- Apache Axis2 Document Type Declaration Processing Security Vulnerability
- AlienVault OSSIM Multiple Remote Code Execution Vulnerabilities
- Apache Archiva Multiple Remote Command Execution Vulnerabilities
- 4psa Voipnow Local File Inclusion Vulnerability