CVE-2015-6004

Name of the Vulnerable Software and Affected Versions IPSwitch WhatsUp Gold versions prior to 16.4

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via two parameters: (1) the UniqueID (also known as sUniqueID) parameter to the "WrFreeFormText.asp" endpoint in the Reports component, or (2) the Find Device parameter.

Recommendations For versions prior to 16.4, update to version 16.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "WrFreeFormText.asp" endpoint and limiting the use of the Find Device parameter until the update is applied.