CVE-2020-26525

Опубликовано: 02 окт. 2020

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Низкий

Описание

Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers.

Ссылки

https://github.com/lukaszstu/SmartAsset-SQLinj-CVE-2020-26525/blob/main/README.md
Third Party Advisory
https://support.damstratechnology.com/hc/en-us/categories/900000115446-SmartAsset-Damstra-Asset-Management-Platform
Vendor Advisory
https://www.smartasset.com.au/
Product
Vendor Advisory
https://github.com/lukaszstu/SmartAsset-SQLinj-CVE-2020-26525/blob/main/README.md
Third Party Advisory
https://support.damstratechnology.com/hc/en-us/categories/900000115446-SmartAsset-Damstra-Asset-Management-Platform
Vendor Advisory
https://www.smartasset.com.au/
Product
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:damstratechnology:smart_asset:2020.7:*:*:*:*:*:*:*

EPSS

Процентиль: 92%

0.08421

Низкий

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-9845-gph5-8ccg

github

больше 3 лет назад