cnvd - cnvd-2017-01510

cnvd-2017-01510

Vulnerability from cnvd

Title: Ecava IntegraXor存在多个SQL注入漏洞

Description:

Ecava IntegraXor是一套基于Web的用于创建和运行SCADA系统的HMI界面的工具。

Ecava IntegraXor存在多个SQL注入漏洞，该漏洞源于在使用用户输入做SQL查询之前未能进行恰当的验证。攻击者可以利用该漏洞损坏受影响的应用程序，访问或修改数据，或者利用底层数据库的潜在漏洞。

Severity: 高

Patch Name: Ecava IntegraXor存在多个SQL注入漏洞的补丁

Patch Description:

Ecava IntegraXor是一套基于Web的用于创建和运行SCADA系统的HMI界面的工具。

Ecava IntegraXor存在多个SQL注入漏洞，该漏洞源于在使用用户输入做SQL查询之前未能进行恰当的验证。攻击者可以利用该漏洞损坏受影响的应用程序，访问或修改数据，或者利用底层数据库的潜在漏洞。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://ics-cert.us-cert.gov/advisories/ICSA-17-031-02

Reference: http://www.securityfocus.com/bid/95907

Impacted products

Name
Ecava IntegraXor 5.0.413.0

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "95907"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-8341",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8341"
    }
  },
  "description": "Ecava IntegraXor\u662f\u4e00\u5957\u57fa\u4e8eWeb\u7684\u7528\u4e8e\u521b\u5efa\u548c\u8fd0\u884cSCADA\u7cfb\u7edf\u7684HMI\u754c\u9762\u7684\u5de5\u5177\u3002\r\n\r\nEcava IntegraXor\u5b58\u5728\u591a\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u4f7f\u7528\u7528\u6237\u8f93\u5165\u505aSQL\u67e5\u8be2\u4e4b\u524d\u672a\u80fd\u8fdb\u884c\u6070\u5f53\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u635f\u574f\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u8bbf\u95ee\u6216\u4fee\u6539\u6570\u636e\uff0c\u6216\u8005\u5229\u7528\u5e95\u5c42\u6570\u636e\u5e93\u7684\u6f5c\u5728\u6f0f\u6d1e\u3002",
  "discovererName": "Brian Gorenc and Juan Pablo Lopez",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-17-031-02",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-01510",
  "openTime": "2017-02-17",
  "patchDescription": "Ecava IntegraXor\u662f\u4e00\u5957\u57fa\u4e8eWeb\u7684\u7528\u4e8e\u521b\u5efa\u548c\u8fd0\u884cSCADA\u7cfb\u7edf\u7684HMI\u754c\u9762\u7684\u5de5\u5177\u3002\r\n\r\nEcava IntegraXor\u5b58\u5728\u591a\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u4f7f\u7528\u7528\u6237\u8f93\u5165\u505aSQL\u67e5\u8be2\u4e4b\u524d\u672a\u80fd\u8fdb\u884c\u6070\u5f53\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u635f\u574f\u53d7\u5f71\u54cd\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u8bbf\u95ee\u6216\u4fee\u6539\u6570\u636e\uff0c\u6216\u8005\u5229\u7528\u5e95\u5c42\u6570\u636e\u5e93\u7684\u6f5c\u5728\u6f0f\u6d1e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Ecava IntegraXor\u5b58\u5728\u591a\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Ecava IntegraXor 5.0.413.0"
  },
  "referenceLink": "http://www.securityfocus.com/bid/95907",
  "serverity": "\u9ad8",
  "submitTime": "2017-02-10",
  "title": "Ecava IntegraXor\u5b58\u5728\u591a\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2016-8341 (GCVE-0-2016-8341)

Vulnerability from cvelistv5

Published

2017-02-13 21:00

Modified

2024-08-06 02:20

Severity ?

CWE

Ecava IntegraXor SQL injection

Summary

An issue was discovered in Ecava IntegraXor Version 5.0.413.0. The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection. If the queries are not sanitized, the host's database could be subject to read, write, and delete commands.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/95907	vdb-entry, x_refsource_BID
	https://ics-cert.us-cert.gov/advisories/ICSA-17-031-02	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Ecava IntegraXor 5.0.413.0	Version: Ecava IntegraXor 5.0.413.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:20:30.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "95907",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/95907"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-031-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ecava IntegraXor 5.0.413.0",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Ecava IntegraXor 5.0.413.0"
            }
          ]
        }
      ],
      "datePublic": "2017-02-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Ecava IntegraXor Version 5.0.413.0. The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection. If the queries are not sanitized, the host\u0027s database could be subject to read, write, and delete commands."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Ecava IntegraXor SQL injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-02-14T10:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "95907",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/95907"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-031-02"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2016-8341",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Ecava IntegraXor 5.0.413.0",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Ecava IntegraXor 5.0.413.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Ecava IntegraXor Version 5.0.413.0. The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection. If the queries are not sanitized, the host\u0027s database could be subject to read, write, and delete commands."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Ecava IntegraXor SQL injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "95907",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/95907"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-031-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-031-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2016-8341",
    "datePublished": "2017-02-13T21:00:00",
    "dateReserved": "2016-09-28T00:00:00",
    "dateUpdated": "2024-08-06T02:20:30.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted