VDB-12789 · CVE-2013-10003 · MZ-13-06

Telecommunication Software SAMwin Contact Center Suite 5.1 Database SAMwinLIBVB.dll getCurrentDBVersion sql injektion

Det var en kritisksvag punkt upptäcktes i Telecommunication Software SAMwin Contact Center Suite 5.1. Som påverkar funktionen getCurrentDBVersion hos två bibliotek SAMwinLIBVB.dll av komponenten Database Handler. Manipulering en okänd ingång leder till en sårbarhet klass sql injektion svag punkt. Den rådgivande finns tillgänglig för nedladdning på modzero.ch. Kombinerades med tillverkarens på en publikation. Denna svaga punkt är känd som CVE-2013-10003. Attacken på nätet kan. Det finns tekniska detaljer känd. Han deklarerade proof-of-concept. Den exploit kan laddas ner från modzero.ch. Minst 174 dagar var den svaga punkten som 0-day. En uppgradering till den version 6.2 att åtgärda problemet. Som bläst uppdatera till den senaste versionen åtgärder rekommenderas. En möjlig åtgärd har utfärdats före och inte bara efter offentliggörandet.

Fält	03/04/2014 17:21	31/03/2019 22:05	24/05/2022 15:14
vendor	Telecommunication Software	Telecommunication Software	Telecommunication Software
name	SAMwin Contact Center Suite	SAMwin Contact Center Suite	SAMwin Contact Center Suite
version	5.1	5.1	5.1
component	Database Handler	Database Handler	Database Handler
library	SAMwinLIBVB.dll	SAMwinLIBVB.dll	SAMwinLIBVB.dll
function	getCurrentDBVersion	getCurrentDBVersion	getCurrentDBVersion
affectedlist	Telecommunication Software SAMwin Contact Center Suite 5.1 Telecommunication Software SAMwin Agent 5.01.19.06	Telecommunication Software SAMwin Contact Center Suite 5.1 Telecommunication Software SAMwin Agent 5.01.19.06	Telecommunication Software SAMwin Contact Center Suite 5.1 Telecommunication Software SAMwin Agent 5.01.19.06
vendorinformdate	1379635200	1379635200	1379635200
risk	2	2	2
historic	0	0	0
cvss2_vuldb_basescore	5.8	5.8	5.8
cvss2_vuldb_tempscore	4.3	4.3	4.3
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	M	M	M
cvss2_vuldb_au	N	N	N
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	N	N	N
cvss3_meta_basescore	6.5	6.5	6.5
cvss3_meta_tempscore	5.6	5.6	5.6
cvss3_vuldb_basescore	6.5	6.5	6.5
cvss3_vuldb_tempscore	5.6	5.6	5.6
advisoryquote	Due to the absence of any middleware sanitizing and verifying input data send by the SAMwin Agent, arbitrary SQL commands can be executed from the username field of the SAMwin Agent login mask. When a SAMwin Agent user logs in, the username and password will be compared against values that are stored in the database. By terminating the username with a single quote character, any person with access to the SAMwin Agent login form can execute malicious SQL statements. For example, the following string can be used as username to verify the SQL command execution on the SQL server.	Due to the absence of any middleware sanitizing and verifying input data send by the SAMwin Agent, arbitrary SQL commands can be executed from the username field of the SAMwin Agent login mask. When a SAMwin Agent user logs in, the username and password will be compared against values that are stored in the database. By terminating the username with a single quote character, any person with access to the SAMwin Agent login form can execute malicious SQL statements. For example, the following string can be used as username to verify the SQL command execution on the SQL server.	Due to the absence of any middleware sanitizing and verifying input data send by the SAMwin Agent, arbitrary SQL commands can be executed from the username field of the SAMwin Agent login mask. When a SAMwin Agent user logs in, the username and password will be compared against values that are stored in the database. By terminating the username with a single quote character, any person with access to the SAMwin Agent login form can execute malicious SQL statements. For example, the following string can be used as username to verify the SQL command execution on the SQL server.
date	1394668800 (13/03/2014)	1394668800 (13/03/2014)	1394668800 (13/03/2014)
location	Website	Website	Website
type	Advisory	Advisory	Advisory
url	http://www.modzero.ch/advisories/MZ-13-06_SAMwin_Architectural_Issues.txt	http://www.modzero.ch/advisories/MZ-13-06_SAMwin_Architectural_Issues.txt	http://www.modzero.ch/advisories/MZ-13-06_SAMwin_Architectural_Issues.txt
identifier	MZ-13-06	MZ-13-06	MZ-13-06
coordination	1	1	1
person_name	Tobias Ospelt/Max Moser	Tobias Ospelt/Max Moser	Tobias Ospelt/Max Moser
company_name	modzero AG	modzero AG	modzero AG
confirm_date	1379980800 (24/09/2013)	1379980800 (24/09/2013)	1379980800 (24/09/2013)
availability	1	1	1
date	1394668800 (13/03/2014)	1394668800 (13/03/2014)	1394668800 (13/03/2014)
publicity	1	1	1
url	http://www.modzero.ch/advisories/MZ-13-06_SAMwin_Architectural_Issues.txt	http://www.modzero.ch/advisories/MZ-13-06_SAMwin_Architectural_Issues.txt	http://www.modzero.ch/advisories/MZ-13-06_SAMwin_Architectural_Issues.txt
developer_name	Tobias Ospelt/Max Moser	Tobias Ospelt/Max Moser	Tobias Ospelt/Max Moser
language	SQL	SQL	SQL
price_0day	$0-$5k	$0-$5k	$0-$5k
name	Upgrade	Upgrade	Upgrade
upgrade_version	6.2	6.2	6.2
seealso	12788	12788	12788
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_ui	N	N	N
cvss2_vuldb_e	POC	POC	POC
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_rc	UR	UR	UR
cvss3_vuldb_e	P	P	P
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	R	R	R
0day_days	174	174	174
cvss3_vuldb_pr	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	N	N	N
cwe	0	89 (sql injektion)	89 (sql injektion)
cve			CVE-2013-10003
responsible			VulDB

◂ Tidigare Översikt Nästa ▸

Do you know our Splunk app?

Download it now for free!