Mercator SENTINEL SQL injection allows authentication bypass

ID VU:122142
Type cert
Reporter CERT
Modified 2012-05-10T00:00:00



Mercator SENTINEL contains an SQL injection vulnerability that could allow an attacker to bypass authentication and access the system with administrative privileges.


Mercator SENTINEL is a flight safety management system. The login form of the web interface contains an SQL injection vulnerability. Please see CERT-NPS:2011:005 for more information.


An attacker with network access to the SENTINEL web interface could access the system with administrative privileges.



Credible information indicates that this vulnerability is addressed in SENTINEL version

Restrict access

Restrict access to the SENTINEL web interface to trusted users and networks.

Vendor Information

Vendor| Status| Date Notified| Date Updated
Mercator| | 22 Jun 2011| 14 Oct 2011
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | 9.7 | AV:N/AC:L/Au:N/C:C/I:C/A:P
Temporal | 7.9 | E:F/RL:W/RC:UC
Environmental | 2.1 | CDP:LM/TD:L/CR:ND/IR:ND/AR:ND


  • <>
  • <>
  • <>
  • <>


Thanks to CERT-NETPEAS for reporting this vulnerability. Thanks also to ICS-CERT and aeCERT for their assistance.

This document was written by Art Manion.

Other Information

  • CVE IDs: CVE-2011-1913
  • Date Public: 20 Jun 2011
  • Date First Published: 14 Sep 2011
  • Date Last Updated: 10 May 2012
  • Severity Metric: 1.22
  • Document Revision: 15