CVE-2014-4977

Name of the Vulnerable Software and Affected Versions Dell SonicWall Scrutinizer version 11.0.1

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via several parameters in different API endpoints and functions, including the selectedUserGroup parameter in a create new user request to "cgi-bin/admin.cgi", the user id parameter in the changeUnit function, the methodDetail parameter in the methodDetail function, or the xcNetworkDetail parameter in the xcNetworkDetail function in "d4d/exporters.php".

Recommendations For Dell SonicWall Scrutinizer version 11.0.1, consider disabling the changeUnit function, the methodDetail function, and the xcNetworkDetail function until a patch is available. Restrict access to the "cgi-bin/admin.cgi" and "d4d/exporters.php" modules to minimize the risk of exploitation. Avoid using the selectedUserGroup, user id, methodDetail, and xcNetworkDetail parameters in the affected API endpoints and functions until the issue is resolved.