exploitDog

CVE-2020-16104

Опубликовано: 14 дек. 2020

Источник: nvd

CVSS3: 8.2

CVSS3: 7.2

CVSS2: 6.5

EPSS Низкий

Описание

SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions.

Ссылки

https://security.gallagher.com/Security-Advisories/CVE-2020-16104
Vendor Advisory
https://security.gallagher.com/Security-Advisories/CVE-2020-16104
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*

Версия до 7.90.0 (исключая)

cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*

Версия от 8.00 (включая) до 8.00.1228 (исключая)

cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*

Версия от 8.10 (включая) до 8.10.1211 (исключая)

cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*

Версия от 8.20 (включая) до 8.20.1166 (исключая)

cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*

Версия от 8.30 (включая) до 8.30.1236 (исключая)

cpe:2.3:a:gallagher:command_centre:8.00.1228:-:*:*:*:*:*:*

cpe:2.3:a:gallagher:command_centre:8.00.1228:maintenance_release6:*:*:*:*:*:*

cpe:2.3:a:gallagher:command_centre:8.10.1211:-:*:*:*:*:*:*

cpe:2.3:a:gallagher:command_centre:8.10.1211:maintenance_release5:*:*:*:*:*:*

cpe:2.3:a:gallagher:command_centre:8.20.1166:-:*:*:*:*:*:*

cpe:2.3:a:gallagher:command_centre:8.20.1166:maintenance_release3:*:*:*:*:*:*

cpe:2.3:a:gallagher:command_centre:8.30.1236:-:*:*:*:*:*:*

cpe:2.3:a:gallagher:command_centre:8.30.1236:maintenance_release1:*:*:*:*:*:*

EPSS

Процентиль: 69%

0.00608

Низкий

8.2 High

CVSS3

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-89

CWE-89

Связанные уязвимости

GHSA-w3xv-vqgp-pqp7

github

больше 3 лет назад

SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions.

EPSS

Процентиль: 69%

0.00608

Низкий

8.2 High

CVSS3

7.2 High

CVSS3

6.5 Medium

CVSS2

Дефекты

CWE-89

CWE-89