Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A malicious URL visited by anyone with network access to the server could be used to blindly execute arbitrary SQL statements on the backend database. Version 7.12.0 and all versions prior to 7.11.2 are affected.
References
Link | Resource |
---|---|
https://www.proofpoint.com/us/security/security-advisories | Vendor Advisory |
https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0008 | Vendor Advisory |
https://www.proofpoint.com/us/security/security-advisories | Vendor Advisory |
https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0008 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:24
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.proofpoint.com/us/security/security-advisories - Vendor Advisory | |
References | () https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0008 - Vendor Advisory |
Information
Published : 2021-10-13 18:15
Updated : 2024-11-21 06:24
NVD link : CVE-2021-40842
Mitre link : CVE-2021-40842
CVE.ORG link : CVE-2021-40842
JSON object : View
Products Affected
proofpoint
- insider_threat_management_server
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')