Avanset Visual CertExam Manager version 3.3 and below contain a SQL injection vulnerability.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Avanset Visual CertExam Manager version 3.3 and below contain a SQL injection vulnerability due to the application failing to validate user input variables. It has been reported that the fields "
File name", and "
Candidate Name" are all vulnerable to SQL injection.
An authenticated attacker can read or modify data in the application database.
We are currently unaware of a practical solution to this problem.
Enable firewall rules to restrict access to the Avanset Visual CertExam Manager from external untrusted sources.
Vendor| Status| Date Notified| Date Updated
Avanset| | -| 09 Jan 2014
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | 6.5 | AV:N/AC:L/Au:S/C:P/I:P/A:P
Temporal | 5.6 | E:POC/RL:U/RC:UR
Environmental | 1.4 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND
Thanks to security researcher Mr. Aung Khant (firstname.lastname@example.org) for reporting this vulnerability.
This document was written by Michael Orlando.