CVE-2018-5384

Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. If successfully exploited the user can get info from the underlying postgresql database that could lead into to total compromise of the product. The said script is available with no authentication.
Configurations

Configuration 1 (hide)

cpe:2.3:a:navarino:infinity:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:08

Type Values Removed Values Added
References () http://www.securityfocus.com/bid/103544 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/103544 - Third Party Advisory, VDB Entry
References () https://medium.com/%40evstykas/pwning-ships-vsat-for-fun-and-profit-ba0fe9f42fb3 - () https://medium.com/%40evstykas/pwning-ships-vsat-for-fun-and-profit-ba0fe9f42fb3 -
References () https://packetstormsecurity.com/files/146506/Navarino-Infinity-Blind-SQL-Injection-Session-Fixation.html - Exploit, Third Party Advisory, VDB Entry () https://packetstormsecurity.com/files/146506/Navarino-Infinity-Blind-SQL-Injection-Session-Fixation.html - Exploit, Third Party Advisory, VDB Entry
References () https://www.kb.cert.org/vuls/id/184077 - Third Party Advisory, US Government Resource () https://www.kb.cert.org/vuls/id/184077 - Third Party Advisory, US Government Resource

07 Nov 2023, 02:58

Type Values Removed Values Added
References
  • {'url': 'https://medium.com/@evstykas/pwning-ships-vsat-for-fun-and-profit-ba0fe9f42fb3', 'name': 'https://medium.com/@evstykas/pwning-ships-vsat-for-fun-and-profit-ba0fe9f42fb3', 'tags': ['Exploit', 'Press/Media Coverage', 'Third Party Advisory'], 'refsource': 'MISC'}
  • () https://medium.com/%40evstykas/pwning-ships-vsat-for-fun-and-profit-ba0fe9f42fb3 -

Information

Published : 2018-07-24 15:29

Updated : 2024-11-21 04:08


NVD link : CVE-2018-5384

Mitre link : CVE-2018-5384

CVE.ORG link : CVE-2018-5384


JSON object : View

Products Affected

navarino

  • infinity
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')