PT-2009-5004 · Zen · Zen Help Desk

Tiger-Dz

Published

2009-07-27

Updated

2017-09-19

CVE-2009-2604

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Zen Help Desk version 2.1

Description The issue concerns SQL injection vulnerabilities in the adminlogin.asp file. Remote attackers can execute arbitrary SQL commands by manipulating the userid (also known as username) and PassWord parameters in the admin.asp file.

Recommendations For Zen Help Desk version 2.1, consider restricting access to the adminlogin.asp file and avoid using the userid and PassWord parameters in the admin.asp file until a fix is available. As a temporary workaround, restrict the input for these parameters to minimize the risk of SQL injection attacks.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2009-2604

Affected Products

Zen Help Desk

PT-2009-5004 · Zen · Zen Help Desk

CVE-2009-2604

Weakness Enumeration

Related Identifiers

Affected Products

References · 4