Vulnerability CVE-2021-40842


Published: 2021-10-13

Description:
Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A malicious URL visited by anyone with network access to the server could be used to blindly execute arbitrary SQL statements on the backend database. Version 7.12.0 and all versions prior to 7.11.2 are affected.

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Proofpoint -> Insider threat management server 

 References:
https://www.proofpoint.com/us/security/security-advisories/pfpt-sa-2021-0008
https://www.proofpoint.com/us/security/security-advisories

Copyright 2021, cxsecurity.com

 

Back to Top