Mercator SENTINEL contains an SQL injection vulnerability that could allow an attacker to bypass authentication and access the system with administrative privileges.
Mercator SENTINEL is a flight safety management system. The login form of the web interface contains an SQL injection vulnerability. Please see CERT-NPS:2011:005 for more information.
An attacker with network access to the SENTINEL web interface could access the system with administrative privileges.
Credible information indicates that this vulnerability is addressed in SENTINEL version 18.104.22.168.
Restrict access to the SENTINEL web interface to trusted users and networks.
Vendor| Status| Date Notified| Date Updated
Mercator| | 22 Jun 2011| 14 Oct 2011
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | 9.7 | AV:N/AC:L/Au:N/C:C/I:C/A:P
Temporal | 7.9 | E:F/RL:W/RC:UC
Environmental | 2.1 | CDP:LM/TD:L/CR:ND/IR:ND/AR:ND
Thanks to CERT-NETPEAS for reporting this vulnerability. Thanks also to ICS-CERT and aeCERT for their assistance.
This document was written by Art Manion.