6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.3 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
49.8%
Multiple SQL injection vulnerabilities in zport/dmd/Events/getJSONEventsInfo in Zenoss 2.3.3, and other versions before 2.5, allow remote authenticated users to execute arbitrary SQL commands via the (1) severity, (2) state, (3) filter, (4) offset, and (5) count parameters.
CPE | Name | Operator | Version |
---|---|---|---|
zenoss:zenoss | zenoss | le | 2.4.5 |
zenoss:zenoss | zenoss | eq | 2.3.0 |
zenoss:zenoss | zenoss | eq | 2.3.3 |
zenoss:zenoss | zenoss | eq | 2.4.0 |
zenoss:zenoss | zenoss | eq | 2.4.2 |
dev.zenoss.org/trac/changeset/15257
osvdb.org/61804
secunia.com/advisories/38195
www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-001-zenoss-getjsoneventsinfo-sql-injection/
www.securityfocus.com/bid/37802
www.zenoss.com/news/SQL-Injection-and-Cross-Site-Forgery-in-Zenoss-Core-Corrected.html
exchange.xforce.ibmcloud.com/vulnerabilities/55670