Summary
This host is running OCS Inventory NG and is prone to multiple cross-site scripting and SQL injection vulnerabilities.
Impact
Successful exploitation could allow attackers to inject arbitrary web script or HTML and conduct Cross-Site Scripting attacks.
Impact Level: Application
Solution
Upgrade to the latest version of OCS Inventory NG 1.02.3 or later, For updates refer to http://sourceforge.net/projects/ocsinventory
Insight
Multiple flaws are due to,
- improper validation of user-supplied input via 1)the query string, (2)the BASE parameter, or (3)the ega_1 parameter in ocsreports/index.php.
that allow remote attackers to inject arbitrary web script or HTML.
- improper validation of user-supplied input via (1)c, (2)val_1, or (3)onglet_bis parameter in ocsreports/index.php that allow remote attackers to execute arbitrary SQL commands.
Affected
OCS Inventory NG 1.02.1 and prior.
References
Severity
Classification
-
CVE CVE-2010-1594, CVE-2010-1595 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- 68designs 68kb Multiple Remote File Include Vulnerabilities
- Apache Struts2 Showcase Arbitrary Java Method Execution vulnerability
- Apache Solr XML External Entity(XXE) Vulnerability-02 Jan-14
- Apache Struts ClassLoader Manipulation Vulnerabilities
- Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability