Sql injection

2021-08-3004:15:00

PRIOn knowledge base

www.prio-n.com

9.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.3%

JSON

MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16.6.2.66) allows blind SQL Injection via the Id (within sourceItems) parameter to the GetMap method.

CPENameOperatorVersion
geomedia_webmaplt16.6.2.66

CPE	Name	Operator	Version
	geomedia_webmap	lt	16.6.2.66

References

download.hexagongeospatial.com/en/downloads/webgis/geomedia-webmap-2020-update-2

www.hexagongeospatial.com/products/power-portfolio/geomedia-webmap

www.silentgrid.com/blog/cve-2021-37749-hexagon-geomedia-webmap-2020-blind-sql-injection/