Navarino Infinity web interface up to version 2.2 exposes an unauthenticated script that is prone to blind sql injection. If successfully exploited the user can get info from the underlying postgresql database that could lead into to total compromise of the product. The said script is available with no authentication.
References
Link | Resource |
---|---|
http://www.securityfocus.com/bid/103544 | Third Party Advisory VDB Entry |
https://medium.com/%40evstykas/pwning-ships-vsat-for-fun-and-profit-ba0fe9f42fb3 | |
https://packetstormsecurity.com/files/146506/Navarino-Infinity-Blind-SQL-Injection-Session-Fixation.html | Exploit Third Party Advisory VDB Entry |
https://www.kb.cert.org/vuls/id/184077 | Third Party Advisory US Government Resource |
Configurations
History
07 Nov 2023, 02:58
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2018-07-24 15:29
Updated : 2024-02-28 16:48
NVD link : CVE-2018-5384
Mitre link : CVE-2018-5384
CVE.ORG link : CVE-2018-5384
JSON object : View
Products Affected
navarino
- infinity
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')