Vulnerability-Lookup

CNVD-2020-10125

Vulnerability from cnvd - Published: 2020-02-18

Title

LabVantage LIMS信息泄露漏洞

Description

LabVantage Solutions LIMS是美国LabVantage Solutions公司的一套实验室信管理系统。 LabVantage LIMS 8.3存在信息泄露漏洞。该漏洞源于LabVantage LIMS未能正确维护数据库名称的机密性。攻击者可通过在请求中提供自己的数据库名称利用该漏洞枚举数据库名称。

Severity

低

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.labvantage.com

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-7959

Impacted products

Name
LabVantage Solutions LabVantage LIMS 8.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-7959",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-7959"
    }
  },
  "description": "LabVantage Solutions LIMS\u662f\u7f8e\u56fdLabVantage Solutions\u516c\u53f8\u7684\u4e00\u5957\u5b9e\u9a8c\u5ba4\u4fe1\u7ba1\u7406\u7cfb\u7edf\u3002\n\nLabVantage LIMS 8.3\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eLabVantage LIMS\u672a\u80fd\u6b63\u786e\u7ef4\u62a4\u6570\u636e\u5e93\u540d\u79f0\u7684\u673a\u5bc6\u6027\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5728\u8bf7\u6c42\u4e2d\u63d0\u4f9b\u81ea\u5df1\u7684\u6570\u636e\u5e93\u540d\u79f0\u5229\u7528\u8be5\u6f0f\u6d1e\u679a\u4e3e\u6570\u636e\u5e93\u540d\u79f0\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.labvantage.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-10125",
  "openTime": "2020-02-18",
  "products": {
    "product": "LabVantage Solutions LabVantage LIMS 8.3"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-7959",
  "serverity": "\u4f4e",
  "submitTime": "2020-02-18",
  "title": "LabVantage LIMS\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2020-7959 (GCVE-0-2020-7959)

Vulnerability from cvelistv5 – Published: 2020-02-17 20:22 – Updated: 2024-08-04 09:48

Summary

LabVantage LIMS 8.3 does not properly maintain the confidentiality of database names. For example, the web application exposes the database name. An attacker might be able to enumerate database names by providing his own database name in a request, because the response will return an 'Unrecognized Database exception message if the database does not exist.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/websecnl/LabVantage8.3-Exploit	x_refsource_MISC
	https://www.exploit-db.com/exploits/48090	exploitx_refsource_EXPLOIT-DB

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:48:24.980Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/websecnl/LabVantage8.3-Exploit"
          },
          {
            "name": "48090",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/48090"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LabVantage LIMS 8.3 does not properly maintain the confidentiality of database names. For example, the web application exposes the database name. An attacker might be able to enumerate database names by providing his own database name in a request, because the response will return an \u0027Unrecognized Database exception message if the database does not exist."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-17T20:22:36.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/websecnl/LabVantage8.3-Exploit"
        },
        {
          "name": "48090",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/48090"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-7959",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "LabVantage LIMS 8.3 does not properly maintain the confidentiality of database names. For example, the web application exposes the database name. An attacker might be able to enumerate database names by providing his own database name in a request, because the response will return an \u0027Unrecognized Database exception message if the database does not exist."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/websecnl/LabVantage8.3-Exploit",
              "refsource": "MISC",
              "url": "https://github.com/websecnl/LabVantage8.3-Exploit"
            },
            {
              "name": "48090",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/48090"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-7959",
    "datePublished": "2020-02-17T20:22:36.000Z",
    "dateReserved": "2020-01-24T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:48:24.980Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-10125

CVE-2020-7959 (GCVE-0-2020-7959)

Tags

Sightings

Nomenclature