7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.6%
Ipswitch WhatsUp Gold 15.02 has been reported to contain blind SQL injection and cross-site scripting vulnerabilities.
Ipswitch WhatsUp Gold 15.02 has been reported to contain blind SQL injection and cross-site scripting vulnerabilities.
CWE-79** -**CVE-2012-2601 - Blind SQL Injection
A blind SQL injection attack may be performed against the WrVMwareHostList.asp
file.
Proof of Concept:
WrVMwareHostList.asp?sGroupList=1;WAITFOR DELAY '0:0:10'--&sDeviceList=3
CWE-89******-**CVE-2012-2589 - Cross-site scripting
The snmpd.conf
file may be maliciously modified to execute arbitrary Javascript.
Proof of Concept:
sysName <script>alert(124)</script>pt>>
The CVSS score below applies to CVE-2012-2601.
An attacker may be able to execute arbitrary SQL commands and script.
Apply an Update
WhatsUp Gold 15.03 has been released to address these vulnerabilities.
777007
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 26, 2012 Updated: September 04, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 5.9 | E:POC/RL:OF/RC:C |
Environmental | 1.5 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Devon Kearns of Offensive Security for reporting this vulnerability.
This document was written by Jared Allar.
CVE IDs: | CVE-2012-2601, CVE-2012-2589 |
---|---|
Date Public: | 2012-07-22 Date First Published: |