{"href": "https://0day.today/exploit/description/27791", "sourceData": "SQL injection in INFOR EAM V11.0 Build 201410 search fields (web/base/..) via filtervalue parameter\r\n-------------------\r\nAssigned CVE: CVE-2017-7952\r\n \r\nReproduction steps:\r\n-------------------\r\n1. Log in with your EAM account\r\n2. Go to any page with a search or filter field in it (for example web/base/WSJOBS.xmlhttp) \r\n3. Make any search and intercept the request with a proxy \r\n4. In the intercepted request, replace the value of \"filteroperator\" parameter with IN.\r\n5. The \"filtervalue\" become vulnerable to SQL Injection\r\n \r\nExample:\r\n-------------------\r\nURL:http://<EAM_IP>/web/base/WSJOBS.xmlhttp\r\nPOST DATA: \r\nGRID_ID=<ID>&GRID_NAME=WSJOBS&DATASPY_ID=<ID>&USER_FUNCTION_NAME=WSJOBS&SYSTEM_FUNCTION_NAME=WSJOBS&CURRENT_TAB_NAME=LST&COMPONENT_INFO_TYPE=DATA_ONLY&filterfields=<field>&filteroperator=IN&filtervalue=<injection point>\r\n \r\nExploitability\r\n-------------------\r\nSince the SQL injection vulnerability is available for any logged users, an \r\nattacker needs a valid credential to exploit that vulnerability. By \r\nexploiting that SQL Injection the attacker could obtain any available data \r\n(even if they don\u2019t belongs directly to him), eventually deleting and \r\nreplacing data as well.\r\n \r\nImpact\r\n-------------------\r\nThis vulnerability allows full database access. It includes sensitive \r\ninformation that normally should be accessed by specific users.\r\nAn attacker could dump the user table, which contains usernames and \r\npassword hashes, and proceed to bruteforcing passwords offline and could \r\npossibly obtain administrative credentials, or could access private files \r\nor personal details such as: telephone numbers, physical address and \r\nprivate assets.\r\nObtaining administrative credentials would allow an attacker to perform \r\nactions like: add or deleting users, jobs, and everything else an admin can \r\ndo.\r\nBy having access to sensible information the attacker could eventually \r\npivoting them to perform further attacks on different target assets.\r\n \r\nDisclosure timeline\r\n-------------------\r\n \r\n26.04.2017 Vulnerability reported to vendor\r\n15.05.2017 Advisory published\n\n# 0day.today [2018-03-19] #", "bulletinFamily": "exploit", "modified": "2017-05-17T00:00:00", "title": "INFOR EAM 11.0 Build 201410 - filtervalue SQL Injection Vulnerability", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 6.5}, "sourceHref": "https://0day.today/exploit/27791", "cvelist": ["CVE-2017-7952"], "description": "Exploit for multiple platform in category web applications", "viewCount": 11, "published": "2017-05-17T00:00:00", "edition": 1, "id": "1337DAY-ID-27791", "type": "zdt", "lastseen": "2018-03-20T01:23:37", "reporter": "Yoroi", "enchantments": {"score": {"value": 6.7, "vector": "NONE", "modified": "2018-03-20T01:23:37", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-7952"]}, {"type": "exploitdb", "idList": ["EDB-ID:42028"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B7847F72F580BE7953146CD4336D6415"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142505"]}], "modified": "2018-03-20T01:23:37", "rev": 2}, "vulnersScore": 6.7}, "references": [], "immutableFields": []}

{"cve": [{"lastseen": "2021-04-23T00:08:04", "description": "INFOR EAM V11.0 Build 201410 has SQL injection via search fields, related to the filtervalue parameter.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-16T10:29:00", "title": "CVE-2017-7952", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-7952"], "modified": "2017-08-13T01:29:00", "cpe": ["cpe:/a:infor:enterprise_asset_management:11.0_build_201410"], "id": "CVE-2017-7952", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7952", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:infor:enterprise_asset_management:11.0_build_201410:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2017-05-16T03:27:08", "description": "", "published": "2017-05-15T00:00:00", "type": "packetstorm", "title": "INFOR EAM 11.0 Build 201410 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7952"], "modified": "2017-05-15T00:00:00", "id": "PACKETSTORM:142505", "href": "https://packetstormsecurity.com/files/142505/INFOR-EAM-11.0-Build-201410-SQL-Injection.html", "sourceData": "`SQL injection in INFOR EAM V11.0 Build 201410 search fields (web/base/..) \nvia filtervalue parameter \n------------------- \nAssigned CVE: CVE-2017-7952 \n \nReproduction steps: \n------------------- \n1. Log in with your EAM account \n2. Go to any page with a search or filter field in it (for example \nweb/base/WSJOBS.xmlhttp) \n3. Make any search and intercept the request with a proxy \n4. In the intercepted request, replace the value of \"filteroperator\" \nparameter with IN. \n5. The \"filtervalue\" become vulnerable to SQL Injection \n \nExample: \n------------------- \nURL:http://<EAM_IP>/web/base/WSJOBS.xmlhttp \nPOST DATA: \nGRID_ID=<ID>&GRID_NAME=WSJOBS&DATASPY_ID=<ID>&USER_FUNCTION_NAME=WSJOBS&SYSTEM_FUNCTION_NAME=WSJOBS&CURRENT_TAB_NAME=LST&COMPONENT_INFO_TYPE=DATA_ONLY&filterfields=<field>&filteroperator=IN&filtervalue=<injection \npoint> \n \nExploitability \n------------------- \nSince the SQL injection vulnerability is available for any logged users, an \nattacker needs a valid credential to exploit that vulnerability. By \nexploiting that SQL Injection the attacker could obtain any available data \n(even if they donat belongs directly to him), eventually deleting and \nreplacing data as well. \n \nImpact \n------------------- \nThis vulnerability allows full database access. It includes sensitive \ninformation that normally should be accessed by specific users. \nAn attacker could dump the user table, which contains usernames and \npassword hashes, and proceed to bruteforcing passwords offline and could \npossibly obtain administrative credentials, or could access private files \nor personal details such as: telephone numbers, physical address and \nprivate assets. \nObtaining administrative credentials would allow an attacker to perform \nactions like: add or deleting users, jobs, and everything else an admin can \ndo. \nBy having access to sensible information the attacker could eventually \npivoting them to perform further attacks on different target assets. \n \nDisclosure timeline \n------------------- \n \n26.04.2017 Vulnerability reported to vendor \n15.05.2017 Advisory published \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142505/infoeam110-sql.txt"}], "exploitdb": [{"lastseen": "2017-05-17T20:49:26", "description": "INFOR EAM 11.0 Build 201410 - 'filtervalue' SQL Injection. CVE-2017-7952. Webapps exploit for XML platform. Tags: SQL Injection (SQLi)", "published": "2017-05-17T00:00:00", "type": "exploitdb", "title": "INFOR EAM 11.0 Build 201410 - 'filtervalue' SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7952"], "modified": "2017-05-17T00:00:00", "id": "EDB-ID:42028", "href": "https://www.exploit-db.com/exploits/42028/", "sourceData": "SQL injection in INFOR EAM V11.0 Build 201410 search fields (web/base/..) via filtervalue parameter\r\n-------------------\r\nAssigned CVE: CVE-2017-7952\r\n\r\nReproduction steps:\r\n-------------------\r\n1. Log in with your EAM account\r\n2. Go to any page with a search or filter field in it (for example web/base/WSJOBS.xmlhttp) \r\n3. Make any search and intercept the request with a proxy \r\n4. In the intercepted request, replace the value of \"filteroperator\" parameter with IN.\r\n5. The \"filtervalue\" become vulnerable to SQL Injection\r\n\r\nExample:\r\n-------------------\r\nURL:http://<EAM_IP>/web/base/WSJOBS.xmlhttp\r\nPOST DATA: \r\nGRID_ID=<ID>&GRID_NAME=WSJOBS&DATASPY_ID=<ID>&USER_FUNCTION_NAME=WSJOBS&SYSTEM_FUNCTION_NAME=WSJOBS&CURRENT_TAB_NAME=LST&COMPONENT_INFO_TYPE=DATA_ONLY&filterfields=<field>&filteroperator=IN&filtervalue=<injection point>\r\n\r\nExploitability\r\n-------------------\r\nSince the SQL injection vulnerability is available for any logged users, an \r\nattacker needs a valid credential to exploit that vulnerability. By \r\nexploiting that SQL Injection the attacker could obtain any available data \r\n(even if they don\u00e2\u20ac\u2122t belongs directly to him), eventually deleting and \r\nreplacing data as well.\r\n\r\nImpact\r\n-------------------\r\nThis vulnerability allows full database access. It includes sensitive \r\ninformation that normally should be accessed by specific users.\r\nAn attacker could dump the user table, which contains usernames and \r\npassword hashes, and proceed to bruteforcing passwords offline and could \r\npossibly obtain administrative credentials, or could access private files \r\nor personal details such as: telephone numbers, physical address and \r\nprivate assets.\r\nObtaining administrative credentials would allow an attacker to perform \r\nactions like: add or deleting users, jobs, and everything else an admin can \r\ndo.\r\nBy having access to sensible information the attacker could eventually \r\npivoting them to perform further attacks on different target assets.\r\n\r\nDisclosure timeline\r\n-------------------\r\n\r\n26.04.2017 Vulnerability reported to vendor\r\n15.05.2017 Advisory published", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42028/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:20", "description": "\nINFOR EAM 11.0 Build 201410 - filtervalue SQL Injection", "edition": 1, "published": "2017-05-17T00:00:00", "title": "INFOR EAM 11.0 Build 201410 - filtervalue SQL Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7952"], "modified": "2017-05-17T00:00:00", "id": "EXPLOITPACK:B7847F72F580BE7953146CD4336D6415", "href": "", "sourceData": "SQL injection in INFOR EAM V11.0 Build 201410 search fields (web/base/..) via filtervalue parameter\n-------------------\nAssigned CVE: CVE-2017-7952\n\nReproduction steps:\n-------------------\n1. Log in with your EAM account\n2. Go to any page with a search or filter field in it (for example web/base/WSJOBS.xmlhttp) \n3. Make any search and intercept the request with a proxy \n4. In the intercepted request, replace the value of \"filteroperator\" parameter with IN.\n5. The \"filtervalue\" become vulnerable to SQL Injection\n\nExample:\n-------------------\nURL:http://<EAM_IP>/web/base/WSJOBS.xmlhttp\nPOST DATA: \nGRID_ID=<ID>&GRID_NAME=WSJOBS&DATASPY_ID=<ID>&USER_FUNCTION_NAME=WSJOBS&SYSTEM_FUNCTION_NAME=WSJOBS&CURRENT_TAB_NAME=LST&COMPONENT_INFO_TYPE=DATA_ONLY&filterfields=<field>&filteroperator=IN&filtervalue=<injection point>\n\nExploitability\n-------------------\nSince the SQL injection vulnerability is available for any logged users, an \nattacker needs a valid credential to exploit that vulnerability. By \nexploiting that SQL Injection the attacker could obtain any available data \n(even if they don\u2019t belongs directly to him), eventually deleting and \nreplacing data as well.\n\nImpact\n-------------------\nThis vulnerability allows full database access. It includes sensitive \ninformation that normally should be accessed by specific users.\nAn attacker could dump the user table, which contains usernames and \npassword hashes, and proceed to bruteforcing passwords offline and could \npossibly obtain administrative credentials, or could access private files \nor personal details such as: telephone numbers, physical address and \nprivate assets.\nObtaining administrative credentials would allow an attacker to perform \nactions like: add or deleting users, jobs, and everything else an admin can \ndo.\nBy having access to sensible information the attacker could eventually \npivoting them to perform further attacks on different target assets.\n\nDisclosure timeline\n-------------------\n\n26.04.2017 Vulnerability reported to vendor\n15.05.2017 Advisory published", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}