6.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
6.5 Medium
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
69.9%
IPSwitch’s WhatsUp Gold version 16.3, and possibly previous versions, is vulnerable to SQL injection and cross-site scripting attacks.
CWE-89**: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) -**CVE-2015-6004
The “Find Device” search field does not properly neutralize user input, allowing an unauthenticated (e.g., the guest account) attacker to perform SQL queries and commands by inserting ticks or percent characters.
The “UniqueID” parameter does not sufficiently sanitize user-provided input, leading to a complete compromise of the database associated with the WhatsUpGold application. This parameter is only accessible post-authentication. For more information, please see Rapid7’s advisory R7-2015-19.
CWE-80**: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) -**CVE-2015-6005
A stored XSS vulnerability can be triggered by poisoning certain SNMP OID objects and waiting for a WhatsUpGold instance to query the SNMP endpoint. SNMP trap messages may also be used. For more information, please see Rapid7’s advisory R7-2015-19.
Furthermore, the following user input fields do not properly neutralize user input, allowing an attacker to perform stored XSS attacks:
* View Names
* Group Names
* Flow Monitor Credentials and Threshold Name
* Task Library Name and Description
* Policy Library Name and Description
* Template Library Name and Description
* System Script Library Name and Description
* CLI Settings Library Description
These fields appear to be only accessible by privileged accounts (e.g., administrator accounts) and therefore are unlikely to be exploited in practice.
According to the reporters, WhatsUp Gold version 16.3 is affected by these vulnerabilities. Other versions may also be affected.
An unauthenticated remote attacker may perform SQL commands on the backend database. An administrator may be able to perform cross-site scripting attacks on other administrators and users.
Apply an update
IPSwitch has released WhatsUp Gold version 16.4 to address these issues. Affected users should update as soon as possible.
176160
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 16, 2015 Updated: September 08, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 5.9 | E:POC/RL:OF/RC:C |
Environmental | 4.4 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to an anonymous researcher working with Beyond Security’s SSD program, Owen Shearing of 7Safe Ltd., and Rapid7 for independently reporting SQL injection issues to us. Thanks to the anonymous researcher and Rapid7 for also reporting cross-site scripting vulnerabilities.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-6004, CVE-2015-6005 |
---|---|
Date Public: | 2015-12-16 Date First Published: |
6.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
6.5 Medium
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
69.9%