Vulnerability CVE-2001-0319


Published: 2001-05-03   Modified: 2012-02-12

Description:
orderdspc.d2w macro in IBM Net.Commerce 3.x allows remote attackers to execute arbitrary SQL queries by inserting them into the order_rn option of the report capability.

Vendor: IBM
Product: Websphere commerce suite 
Version:
4.1.1
4.1
3.2
3.1.2
Product: Net.commerce 
Version:
3.2
3.1.2
3.1.1
3.1
3.0
2.0
Product: Net.commerce hosting server 
Version:
3.2
3.1.2
3.1.1

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://archives.neohapsis.com/archives/bugtraq/2001-02/0072.html
http://www-4.ibm.com/software/webservers/commerce/netcomletter.html
http://www.securityfocus.com/bid/2350
https://exchange.xforce.ibmcloud.com/vulnerabilities/6067

Related CVE
CVE-2019-4241
IBM PureApplication System 2.2.3.0 through 2.2.5.3 could allow an authenticated user with local access to bypass authentication and obtain administrative access. IBM X-Force ID: 159467.
CVE-2019-4235
IBM PureApplication System 2.2.3.0 through 2.2.5.3 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 159417.
CVE-2019-4234
IBM PureApplication System 2.2.3.0 through 2.2.5.3 weakness in the implementation of locking feature in pattern editor. An attacker by intercepting the subsequent requests can bypass business logic to modify the pattern to unlocked state. IBM X-Force...
CVE-2019-4225
IBM PureApplication System 2.2.3.0 through 2.2.5.3 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 159242.
CVE-2019-4224
IBM PureApplication System 2.2.3.0 through 2.2.5.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM ...
CVE-2019-4382
IBM API Connect 5.0.0.0 through 5.0.8.6 could allow an unauthorized user to obtain sensitive information about the system users using specially crafted HTTP requests. IBM X-Force ID: 162162.
CVE-2019-4377
IBM Sterling B2B Integrator 6.0.0.0 and 6.0.0.1 reveals sensitive information from a stack trace that could be used in further attacks against the system. IBM X-Force ID: 162803.
CVE-2019-4158
IBM Security Access Manager 9.0.1 through 9.0.6 does not prove that a user's identity is correct which can lead to the exposure of resources or functionality to unintended actors. IBM X-Force ID: 158574.

Copyright 2019, cxsecurity.com

 

Back to Top