var-201312-0317
Vulnerability from variot
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands by specifying them in the value attribute in a (1) Command or (2) Script XML element. NOTE: this issue can be combined with CVE-2013-7092 to allow remote attackers to execute commands. McAfee Email Gateway Contains a command execution vulnerability. McAfee Email and Web Security Appliance and Email Gateway are prone to multiple SQL-injection and remote command-execution vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to execute arbitrary command, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. --047d7bd6c5d012977c04eca87ee7 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable
McAfee Email Gateway 7.6 multiple vulnerabilities
http http://www.mcafee.com/us/products/email-gateway.aspx://http://www.m= cafee.com/us/products/email-gateway.aspx www http://www.mcafee.com/us/products/email-gateway.aspx.http://www.mcaf= ee.com/us/products/email-gateway.aspx mcafee http://www.mcafee.com/us/products/email-gateway.aspx.http://www.m= cafee.com/us/products/email-gateway.aspx com http://www.mcafee.com/us/products/email-gateway.aspx/http://www.mcaf= ee.com/us/products/email-gateway.aspx us http://www.mcafee.com/us/products/email-gateway.aspx/http://www.mcafe= e.com/us/products/email-gateway.aspx products http://www.mcafee.com/us/products/email-gateway.aspx/http://www= .mcafee.com/us/products/email-gateway.aspx email http://www.mcafee.com/us/products/email-gateway.aspx-http://www.mc= afee.com/us/products/email-gateway.aspx gateway http://www.mcafee.com/us/products/email-gateway.aspx.http://www.= mcafee.com/us/products/email-gateway.aspx aspx http://www.mcafee.com/us/products/email-gateway.aspx -- Has free trial
Many instances of SQL injection were found as an unprivileged read-only authenticated user that allow the user to completely take over the accounts of other users by using a stacked injection technique to run UPDATE statements. Other techniques available are error-based, time-based, and boolean-based injections.
Several remote command execution vulnerabilities were found as an administrator which are run as the local root user. By utilising the SQL injections as an unprivileged user, a user can escalate privileges by updating the password hash of an admin, and ultimately run commands on the server as root.
However, no data seems to be able to be exfiltrated via the command injections. You may receive a connect back, but no commands can be run over the connect-back. My solution to this was to pipe the results of commands into a file in /tmp, then use the SQL injections to read the file from the FS and return the results.
As a read-only user with reporting capabilities, many SQL injection vectors exist when creating new reports based on filters. You can get to this part of the web app by clicking the Reports menu item at the top-center. The following request contains four exploitable SQL injections each exploitable via a few different techniques:
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:10443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,/;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=3DUTF-8
Referer: https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm= l/index.html
Content-Length: 626
Cookie: SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_= page_id%3Ddashboard; SHOW_BANNER_NOTICE=3DBannerShown%3D1; ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args"= :{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","e= vent_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week"= ,"events_col":"edate","events_order":"DESC","events_offset":0,"events_nitem= s":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems= ":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"em= ailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_cat= egory":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterTyp= e":"system","autoconv":1}
Within the above request, the events_col, event_id, reason, events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL injection. You can capture the request with burpsuite and alter each value by adding an apostrophe to view the SQL error in the response. You can also use SQLmap to try various techniques for exploitability. Every vector I found was being run as the root user and they all exists within a single request. As an administrator, go to the System tab in the top menu. You will be presented with general server settings. Remove the last letter of the hostname, and replace it back. You will now have a green checkmark in the top right of the web application. Click this, then click OK on the dialog that pops up in the web app. The next captured request will be the request susceptible to command execution. It is a very large request with XML contained in JSON. Because this makes sense.
Within this XML, you may search for any XML element whose =93name=94 attrib= ute contains TestFile. Any of these elements are susceptible to command injection within the =93value=94 attribute. These filenames seems to be pas= sed to a utility like =91test=92 to ensure whether or not it exists. By using s= hell metacharacters, you can execute arbitrary commands on the system as root.
The hostname within this request is also susceptible to command injection via shell metacharacters.
You may also search for any XML element called Command. Each of these elements contains a small command to be run on a given event. You may alter any of these to be run as root.
You may also search for an XML element called Script. This is used to manage the cron jobs (make sure the corresponding Enabled element is set to =931=94 instead of =930=94). You may alter or create any cron jobs that wil= l be run as root.
--=20 http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable
McAfee Email Gateway 7.6 multiple vulnerabil= ities
http://w= ww.mcafee.com/us/products/email-gateway.aspx -- Has free trial
=A0
Many instances of SQL injection were found as an unprivileged read-only authenticated user that allow the user to completely take over th= e accounts of other users by using a stacked injection technique to run UPDATE statements= . Other techniques available are error-based, time-based, and boolean-based injections.
=A0
Several remote command execution vulnerabilities were found as an administrator which are run as the local root user. By utilising the = SQL injections as an unprivileged user, a user can escalate privileges by updat= ing the password hash of an admin, and ultimately run commands on the server as root.
=A0
However, no data seems to be able to be exfiltrated via the command injections. You may receive a connect back, but no commands can be = run over the connect-back. My solution to this was to pipe the results of comma= nds into a file in /tmp, then use the SQL injections to read the file from the = FS and return the results.
=A0
---------------------------------------------------
=A0
As a read-only user with reporting capabilities, many SQL injection vectors exist when creating new reports based on filters. You can= get to this part of the web app by clicking the Reports menu item at the top-ce= nter. The following request contains four exploitable SQL injections each exploit= able via a few different techniques:
=A0
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:1044= 3
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8
Accept-Language: en-US,en;q=3D0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=3DUTF-8
Referer: https://172.31.16.87:10443/= admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html
Content-Length: 626
Cookie: SCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_= page_id%3Ddashboard; SHOW_BANNER_NOTICE=3DBannerShown%3D1; ws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
=A0
{"id":"loadreport","locale":&qu= ot;en_US","commands":[{"name":"getDDSData&quo= t;,"args":{"what":["events"],"filters&qu= ot;:{"filter_period":"week","start_date":&quo= t;Now","event_type":"ui_events","event_id&quo= t;:"all","reason":"all"},"date_range&quo= t;:"week","events_col":"edate","events_o= rder":"DESC","events_offset":0,"events_nitems= ":50,"tz":480,"start_date":1385491876.405,"is= _mail":false,"itemized_nitems":10,"itemized_offset"= ;:0,"emailstatus_nitems":50,"emailstatus_offset":0,&quo= t;emailstatus_col":"edate","emailstatus_order":&qu= ot;DESC","dig_filters":[],"dig_category":"&qu= ot;,"dig_summarize":true,"init":true,"type":&= quot;ui_events"}}],"filterType":"system","aut= oconv":1}
=A0
Within the above request, the events_col, event_id, reason, events_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab= le to SQL injection. You can capture the request with burpsuite and alter each value by adding an apostrophe to view the SQL error in the response. You ca= n also use SQLmap to try various techniques for exploitability.
=A0
------------------------------------------------------
=A0
Many remote command execution vulnerabilities exist for administrator users. Every vector I found was being run as the root user an= d they all exists within a single request. As an administrator, go to the Sys= tem tab in the top menu. You will be presented with general server settings. Re= move the last letter of the hostname, and replace it back. You will now have a g= reen checkmark in the top right of the web application. Click this, then click O= K on the dialog that pops up in the web app. The next captured request will be t= he request susceptible to command execution. It is a very large request with X= ML contained in JSON. Because this makes sense.
=A0
Within this XML, you may search for any XML element whose =93name=94 attribute contains TestFile. Any of these elements are susceptib= le to command injection within the =93value=94 attribute. These filenames seems t= o be passed to a utility like =91test=92 to ensure whether or not it exists. By = using shell metacharacters, you can execute arbitrary commands on the system as root.</= p>
=A0
The hostname within this request is also susceptible to command injection via shell metacharacters.
=A0
You may also search for any XML element called Command. Each of these elements contains a small command to be run on a given event. You = may alter any of these to be run as root.
=A0
You may also search for an XML element called Script. This is used to manage the cron jobs (make sure the corresponding Enabled element i= s set to =931=94 instead of =930=94). You may alter or create any cron jobs t= hat will be run as root.
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--047d7bd6c5d012977c04eca87ee7--
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201312-0317",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "email gateway",
"scope": "eq",
"trust": 2.4,
"vendor": "mcafee",
"version": "7.6"
},
{
"model": "email gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "mcafee",
"version": "7.0"
}
],
"sources": [
{
"db": "BID",
"id": "64150"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-289"
},
{
"db": "NVD",
"id": "CVE-2013-7104"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:mcafee:email_gateway",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Brandon Perry",
"sources": [
{
"db": "BID",
"id": "64150"
},
{
"db": "PACKETSTORM",
"id": "124277"
}
],
"trust": 0.4
},
"cve": "CVE-2013-7104",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CVE-2013-7104",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "VHN-67106",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2013-7104",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2013-7104",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201312-289",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-67106",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67106"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-289"
},
{
"db": "NVD",
"id": "CVE-2013-7104"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands by specifying them in the value attribute in a (1) Command or (2) Script XML element. NOTE: this issue can be combined with CVE-2013-7092 to allow remote attackers to execute commands. McAfee Email Gateway Contains a command execution vulnerability. McAfee Email and Web Security Appliance and Email Gateway are prone to multiple SQL-injection and remote command-execution vulnerabilities because it fails to sufficiently sanitize user-supplied input. \nExploiting these issues could allow an attacker to execute arbitrary command, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. --047d7bd6c5d012977c04eca87ee7\nContent-Type: text/plain; charset=windows-1252\nContent-Transfer-Encoding: quoted-printable\n\nMcAfee Email Gateway 7.6 multiple vulnerabilities\n\nhttp \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e://\u003chttp://www.m=\ncafee.com/us/products/email-gateway.aspx\u003e\nwww \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e.\u003chttp://www.mcaf=\nee.com/us/products/email-gateway.aspx\u003e\nmcafee \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e.\u003chttp://www.m=\ncafee.com/us/products/email-gateway.aspx\u003e\ncom \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e/\u003chttp://www.mcaf=\nee.com/us/products/email-gateway.aspx\u003e\nus \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e/\u003chttp://www.mcafe=\ne.com/us/products/email-gateway.aspx\u003e\nproducts \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e/\u003chttp://www=\n.mcafee.com/us/products/email-gateway.aspx\u003e\nemail \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e-\u003chttp://www.mc=\nafee.com/us/products/email-gateway.aspx\u003e\ngateway \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e.\u003chttp://www.=\nmcafee.com/us/products/email-gateway.aspx\u003e\naspx \u003chttp://www.mcafee.com/us/products/email-gateway.aspx\u003e -- Has free\ntrial\n\n\n\nMany instances of SQL injection were found as an unprivileged read-only\nauthenticated user that allow the user to completely take over the accounts\nof other users by using a stacked injection technique to run UPDATE\nstatements. Other techniques available are error-based, time-based, and\nboolean-based injections. \n\n\n\nSeveral remote command execution vulnerabilities were found as an\nadministrator which are run as the local root user. By utilising the SQL\ninjections as an unprivileged user, a user can escalate privileges by\nupdating the password hash of an admin, and ultimately run commands on the\nserver as root. \n\n\n\nHowever, no data seems to be able to be exfiltrated via the command\ninjections. You may receive a connect back, but no commands can be run over\nthe connect-back. My solution to this was to pipe the results of commands\ninto a file in /tmp, then use the SQL injections to read the file from the\nFS and return the results. \n\n\n\n---------------------------------------------------\n\n\n\nAs a read-only user with reporting capabilities, many SQL injection vectors\nexist when creating new reports based on filters. You can get to this part\nof the web app by clicking the Reports menu item at the top-center. The\nfollowing request contains four exploitable SQL injections each exploitable\nvia a few different techniques:\n\n\n\nPOST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1\n\nHost: 172.31.16.87:10443\n\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101\nFirefox/25.0\n\nAccept: text/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8\n\nAccept-Language: en-US,en;q=3D0.5\n\nAccept-Encoding: gzip, deflate\n\nContent-Type: text/plain; charset=3DUTF-8\n\nReferer:\nhttps://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/htm=\nl/index.html\n\nContent-Length: 626\n\nCookie:\nSCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=\npage_id%3Ddashboard;\nSHOW_BANNER_NOTICE=3DBannerShown%3D1;\nws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86\n\nConnection: keep-alive\n\nPragma: no-cache\n\nCache-Control: no-cache\n\n\n\n{\"id\":\"loadreport\",\"locale\":\"en_US\",\"commands\":[{\"name\":\"getDDSData\",\"args\"=\n:{\"what\":[\"events\"],\"filters\":{\"filter_period\":\"week\",\"start_date\":\"Now\",\"e=\nvent_type\":\"ui_events\",\"event_id\":\"all\",\"reason\":\"all\"},\"date_range\":\"week\"=\n,\"events_col\":\"edate\",\"events_order\":\"DESC\",\"events_offset\":0,\"events_nitem=\ns\":50,\"tz\":480,\"start_date\":1385491876.405,\"is_mail\":false,\"itemized_nitems=\n\":10,\"itemized_offset\":0,\"emailstatus_nitems\":50,\"emailstatus_offset\":0,\"em=\nailstatus_col\":\"edate\",\"emailstatus_order\":\"DESC\",\"dig_filters\":[],\"dig_cat=\negory\":\"\",\"dig_summarize\":true,\"init\":true,\"type\":\"ui_events\"}}],\"filterTyp=\ne\":\"system\",\"autoconv\":1}\n\n\n\nWithin the above request, the events_col, event_id, reason, events_order,\nemailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL\ninjection. You can capture the request with burpsuite and alter each value\nby adding an apostrophe to view the SQL error in the response. You can also\nuse SQLmap to try various techniques for exploitability. Every vector I found was being run as the root user and they all\nexists within a single request. As an administrator, go to the System tab\nin the top menu. You will be presented with general server settings. Remove\nthe last letter of the hostname, and replace it back. You will now have a\ngreen checkmark in the top right of the web application. Click this, then\nclick OK on the dialog that pops up in the web app. The next captured\nrequest will be the request susceptible to command execution. It is a very\nlarge request with XML contained in JSON. Because this makes sense. \n\n\n\nWithin this XML, you may search for any XML element whose =93name=94 attrib=\nute\ncontains TestFile. Any of these elements are susceptible to command\ninjection within the =93value=94 attribute. These filenames seems to be pas=\nsed\nto a utility like =91test=92 to ensure whether or not it exists. By using s=\nhell\nmetacharacters, you can execute arbitrary commands on the system as root. \n\n\n\nThe hostname within this request is also susceptible to command injection\nvia shell metacharacters. \n\n\n\nYou may also search for any XML element called Command. Each of these\nelements contains a small command to be run on a given event. You may alter\nany of these to be run as root. \n\n\n\nYou may also search for an XML element called Script. This is used to\nmanage the cron jobs (make sure the corresponding Enabled element is set to\n=931=94 instead of =930=94). You may alter or create any cron jobs that wil=\nl be run\nas root. \n\n--=20\nhttp://volatile-minds.blogspot.com -- blog\nhttp://www.volatileminds.net -- website\n\n--047d7bd6c5d012977c04eca87ee7\nContent-Type: text/html; charset=windows-1252\nContent-Transfer-Encoding: quoted-printable\n\n\u003cdiv dir=3D\"ltr\"\u003e\u003cp class=3D\"\"\u003eMcAfee Email Gateway 7.6 multiple vulnerabil=\nities\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e\u003ca href=3D\"http://www.mcafee.com/us/products/email-gateway.as=\npx\"\u003ehttp\u003c/a\u003e\u003ca href=3D\"http://www.mcafee.com/us/products/email-gateway.aspx=\n\"\u003e://\u003c/a\u003e\u003ca href=3D\"http://www.mcafee.com/us/products/email-gateway.aspx\"\u003ew=\nww\u003c/a\u003e\u003ca href=3D\"http://www.mcafee.com/us/products/email-gateway.aspx\"\u003e.\u003c/a=\n\u003e\u003ca href=3D\"http://www.mcafee.com/us/products/email-gateway.aspx\"\u003emcafee\u003c/a=\n\u003e\u003ca href=3D\"http://www.mcafee.com/us/products/email-gateway.aspx\"\u003e.\u003c/a\u003e\u003ca h=\nref=3D\"http://www.mcafee.com/us/products/email-gateway.aspx\"\u003ecom\u003c/a\u003e\u003ca href=\n=3D\"http://www.mcafee.com/us/products/email-gateway.aspx\"\u003e/\u003c/a\u003e\u003ca href=3D\"h=\nttp://www.mcafee.com/us/products/email-gateway.aspx\"\u003eus\u003c/a\u003e\u003ca href=3D\"http:=\n//www.mcafee.com/us/products/email-gateway.aspx\"\u003e/\u003c/a\u003e\u003ca href=3D\"http://www=\n.mcafee.com/us/products/email-gateway.aspx\"\u003eproducts\u003c/a\u003e\u003ca href=3D\"http://w=\nww.mcafee.com/us/products/email-gateway.aspx\"\u003e/\u003c/a\u003e\u003ca href=3D\"http://www.mc=\nafee.com/us/products/email-gateway.aspx\"\u003eemail\u003c/a\u003e\u003ca href=3D\"http://www.mca=\nfee.com/us/products/email-gateway.aspx\"\u003e-\u003c/a\u003e\u003ca href=3D\"http://www.mcafee.c=\nom/us/products/email-gateway.aspx\"\u003egateway\u003c/a\u003e\u003ca href=3D\"http://www.mcafee.=\ncom/us/products/email-gateway.aspx\"\u003e.\u003c/a\u003e\u003ca href=3D\"http://www.mcafee.com/u=\ns/products/email-gateway.aspx\"\u003easpx\u003c/a\u003e -- Has free trial\u003c/p\u003e\n\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eMany instances of SQL injection were found as an unprivileged\nread-only authenticated user that allow the user to completely take over th=\ne accounts of\nother users by using a stacked injection technique to run UPDATE statements=\n. \nOther techniques available are error-based, time-based, and boolean-based\ninjections.\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eSeveral remote command execution vulnerabilities were found\nas an administrator which are run as the local root user. By utilising the =\nSQL\ninjections as an unprivileged user, a user can escalate privileges by updat=\ning\nthe password hash of an admin, and ultimately run commands on the server as\nroot.\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eHowever, no data seems to be able to be exfiltrated via the\ncommand injections. You may receive a connect back, but no commands can be =\nrun\nover the connect-back. My solution to this was to pipe the results of comma=\nnds\ninto a file in /tmp, then use the SQL injections to read the file from the =\nFS\nand return the results.\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e---------------------------------------------------\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eAs a read-only user with reporting capabilities, many SQL\ninjection vectors exist when creating new reports based on filters. You can=\n get\nto this part of the web app by clicking the Reports menu item at the top-ce=\nnter. \nThe following request contains four exploitable SQL injections each exploit=\nable\nvia a few different techniques:\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003ePOST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eHost: \u003ca href=3D\"http://172.31.16.87:10443\"\u003e172.31.16.87:1044=\n3\u003c/a\u003e\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0)\nGecko/20100101 Firefox/25.0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eAccept:\ntext/html,application/xhtml+xml,application/xml;q=3D0.9,*/*;q=3D0.8\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eAccept-Language: en-US,en;q=3D0.5\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eAccept-Encoding: gzip, deflate\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eContent-Type: text/plain; charset=3DUTF-8\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eReferer: \u003ca href=3D\"https://172.31.16.87:10443/admin/969bf547=\nd36f6c7e4302952cf72a5ce3/en_US/html/index.html\"\u003ehttps://172.31.16.87:10443/=\nadmin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html\u003c/a\u003e\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eContent-Length: 626\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eCookie:\nSCMUserSettings=3DlastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_=\npage_id%3Ddashboard;\nSHOW_BANNER_NOTICE=3DBannerShown%3D1;\nws_session=3DSID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eConnection: keep-alive\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003ePragma: no-cache\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eCache-Control: no-cache\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e{\u0026quot;id\u0026quot;:\u0026quot;loadreport\u0026quot;,\u0026quot;locale\u0026quot;:\u0026qu=\not;en_US\u0026quot;,\u0026quot;commands\u0026quot;:[{\u0026quot;name\u0026quot;:\u0026quot;getDDSData\u0026quo=\nt;,\u0026quot;args\u0026quot;:{\u0026quot;what\u0026quot;:[\u0026quot;events\u0026quot;],\u0026quot;filters\u0026qu=\not;:{\u0026quot;filter_period\u0026quot;:\u0026quot;week\u0026quot;,\u0026quot;start_date\u0026quot;:\u0026quo=\nt;Now\u0026quot;,\u0026quot;event_type\u0026quot;:\u0026quot;ui_events\u0026quot;,\u0026quot;event_id\u0026quo=\nt;:\u0026quot;all\u0026quot;,\u0026quot;reason\u0026quot;:\u0026quot;all\u0026quot;},\u0026quot;date_range\u0026quo=\nt;:\u0026quot;week\u0026quot;,\u0026quot;events_col\u0026quot;:\u0026quot;edate\u0026quot;,\u0026quot;events_o=\nrder\u0026quot;:\u0026quot;DESC\u0026quot;,\u0026quot;events_offset\u0026quot;:0,\u0026quot;events_nitems=\n\u0026quot;:50,\u0026quot;tz\u0026quot;:480,\u0026quot;start_date\u0026quot;:1385491876.405,\u0026quot;is=\n_mail\u0026quot;:false,\u0026quot;itemized_nitems\u0026quot;:10,\u0026quot;itemized_offset\u0026quot=\n;:0,\u0026quot;emailstatus_nitems\u0026quot;:50,\u0026quot;emailstatus_offset\u0026quot;:0,\u0026quo=\nt;emailstatus_col\u0026quot;:\u0026quot;edate\u0026quot;,\u0026quot;emailstatus_order\u0026quot;:\u0026qu=\not;DESC\u0026quot;,\u0026quot;dig_filters\u0026quot;:[],\u0026quot;dig_category\u0026quot;:\u0026quot;\u0026qu=\not;,\u0026quot;dig_summarize\u0026quot;:true,\u0026quot;init\u0026quot;:true,\u0026quot;type\u0026quot;:\u0026=\nquot;ui_events\u0026quot;}}],\u0026quot;filterType\u0026quot;:\u0026quot;system\u0026quot;,\u0026quot;aut=\noconv\u0026quot;:1}\u003c/p\u003e\n\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eWithin the above request, the events_col, event_id, reason,\nevents_order, emailstatus_order, and emailstatus_col JSON keys are vulnerab=\nle\nto SQL injection. You can capture the request with burpsuite and alter each\nvalue by adding an apostrophe to view the SQL error in the response. You ca=\nn\nalso use SQLmap to try various techniques for exploitability.\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e------------------------------------------------------\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eMany remote command execution vulnerabilities exist for\nadministrator users. Every vector I found was being run as the root user an=\nd\nthey all exists within a single request. As an administrator, go to the Sys=\ntem\ntab in the top menu. You will be presented with general server settings. Re=\nmove\nthe last letter of the hostname, and replace it back. You will now have a g=\nreen\ncheckmark in the top right of the web application. Click this, then click O=\nK on\nthe dialog that pops up in the web app. The next captured request will be t=\nhe\nrequest susceptible to command execution. It is a very large request with X=\nML\ncontained in JSON. Because this makes sense.\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eWithin this XML, you may search for any XML element whose\n=93name=94 attribute contains TestFile. Any of these elements are susceptib=\nle to\ncommand injection within the =93value=94 attribute. These filenames seems t=\no be\npassed to a utility like =91test=92 to ensure whether or not it exists. By =\nusing shell\nmetacharacters, you can execute arbitrary commands on the system as root.\u003c/=\np\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eThe hostname within this request is also susceptible to\ncommand injection via shell metacharacters.\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eYou may also search for any XML element called Command. Each\nof these elements contains a small command to be run on a given event. You =\nmay\nalter any of these to be run as root.\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003e=A0\u003c/p\u003e\n\n\u003cp class=3D\"\"\u003eYou may also search for an XML element called Script. This is\nused to manage the cron jobs (make sure the corresponding Enabled element i=\ns\nset to =931=94 instead of =930=94). You may alter or create any cron jobs t=\nhat will be\nrun as root.\u003c/p\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e-- \u003cbr\u003e\u003ca href=3D\"http://volatile-minds.blog=\nspot.com\"\u003ehttp://volatile-minds.blogspot.com\u003c/a\u003e -- blog\u003cbr\u003e\u003ca href=3D\"http=\n://www.volatileminds.net\"\u003ehttp://www.volatileminds.net\u003c/a\u003e -- website\n\u003c/div\u003e\n\n--047d7bd6c5d012977c04eca87ee7--\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-7104"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"db": "BID",
"id": "64150"
},
{
"db": "VULHUB",
"id": "VHN-67106"
},
{
"db": "PACKETSTORM",
"id": "124277"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-7104",
"trust": 2.8
},
{
"db": "BID",
"id": "64150",
"trust": 2.0
},
{
"db": "PACKETSTORM",
"id": "124277",
"trust": 1.8
},
{
"db": "OSVDB",
"id": "100581",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005531",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201312-289",
"trust": 0.7
},
{
"db": "FULLDISC",
"id": "20131203 MCAFEE EMAIL GATEWAY MULTIPLE VULNS",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-67106",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67106"
},
{
"db": "BID",
"id": "64150"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"db": "PACKETSTORM",
"id": "124277"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-289"
},
{
"db": "NVD",
"id": "CVE-2013-7104"
}
]
},
"id": "VAR-201312-0317",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-67106"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:27:22.388000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "McAfee Email Gateway",
"trust": 0.8,
"url": "http://www.mcafee.com/japan/products/email_gateway.asp"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67106"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"db": "NVD",
"id": "CVE-2013-7104"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://seclists.org/fulldisclosure/2013/dec/18"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/64150"
},
{
"trust": 1.7,
"url": "http://packetstormsecurity.com/files/124277/mcafee-email-gateway-7.6-command-execution-sql-injection.html"
},
{
"trust": 1.7,
"url": "http://osvdb.org/100581"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90163"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-7104"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-7104"
},
{
"trust": 0.1,
"url": "http://volatile-minds.blogspot.com"
},
{
"trust": 0.1,
"url": "http://www.mcafee.c="
},
{
"trust": 0.1,
"url": "https://172.31.16.87:10443/="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e://\u003chttp://www.m="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e.\u003chttp://www.m="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\"\u003e.\u003c/a="
},
{
"trust": 0.1,
"url": "https://www.mcafee.com/us/products/email-gateway.aspx\"\u003eus\u003c/a\u003e\u003ca"
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\"\u003ew="
},
{
"trust": 0.1,
"url": "https://172.31.16.87:10443/admin/969bf547="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e.\u003chttp://www.="
},
{
"trust": 0.1,
"url": "http://volatile-minds.blog="
},
{
"trust": 0.1,
"url": "http://172.31.16.87:10443\"\u003e172.31.16.87:1044="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\"\u003e.\u003c/a\u003e\u003ca"
},
{
"trust": 0.1,
"url": "http://www.volatileminds.net\u003c/a\u003e"
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\"\u003emcafee\u003c/a="
},
{
"trust": 0.1,
"url": "http://www.mcafee.="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e"
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e-\u003chttp://www.mc="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\"\u003ecom\u003c/a\u003e\u003ca"
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/u="
},
{
"trust": 0.1,
"url": "http://w="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e/\u003chttp://www.mcafe="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.as="
},
{
"trust": 0.1,
"url": "http://www.mca="
},
{
"trust": 0.1,
"url": "http://volatile-minds.blogspot.com\u003c/a\u003e"
},
{
"trust": 0.1,
"url": "http://www.mc="
},
{
"trust": 0.1,
"url": "http://www="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e.\u003chttp://www.mcaf="
},
{
"trust": 0.1,
"url": "http://www.volatileminds.net"
},
{
"trust": 0.1,
"url": "https://www.volatileminds.net\"\u003ehttp://www.volatileminds.net\u003c/a\u003e"
},
{
"trust": 0.1,
"url": "https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_us/htm="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\"\u003e/\u003c/a\u003e\u003ca"
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e/\u003chttp://www="
},
{
"trust": 0.1,
"url": "http://www.mcafee.com/us/products/email-gateway.aspx\u003e/\u003chttp://www.mcaf="
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-67106"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"db": "PACKETSTORM",
"id": "124277"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-289"
},
{
"db": "NVD",
"id": "CVE-2013-7104"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-67106"
},
{
"db": "BID",
"id": "64150"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"db": "PACKETSTORM",
"id": "124277"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-289"
},
{
"db": "NVD",
"id": "CVE-2013-7104"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-12-14T00:00:00",
"db": "VULHUB",
"id": "VHN-67106"
},
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "64150"
},
{
"date": "2013-12-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"date": "2013-12-05T03:50:54",
"db": "PACKETSTORM",
"id": "124277"
},
{
"date": "2013-12-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201312-289"
},
{
"date": "2013-12-14T17:21:47.460000",
"db": "NVD",
"id": "CVE-2013-7104"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-29T00:00:00",
"db": "VULHUB",
"id": "VHN-67106"
},
{
"date": "2014-03-17T00:55:00",
"db": "BID",
"id": "64150"
},
{
"date": "2013-12-17T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-005531"
},
{
"date": "2013-12-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201312-289"
},
{
"date": "2024-11-21T02:00:21.390000",
"db": "NVD",
"id": "CVE-2013-7104"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "124277"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-289"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "McAfee Email Gateway Vulnerabilities in arbitrary command execution",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005531"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201312-289"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.