PT-2017-14964 · Trape · Trape

Published

2017-12-16

Updated

2018-01-04

CVE-2017-17713

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Trape versions prior to 2017-11-05

Description The issue allows for SQL injection through various parameters and HTTP headers, including the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, and several /register parameters such as country, countryCode, cpu, isp, lat, lon, org, query, region, regionName, timezone, vId, and zip, as well as the /tping id parameter.

Recommendations For Trape versions prior to 2017-11-05, consider restricting access to the vulnerable API endpoints, such as /nr and /register, and avoid using the specified parameters, including red, vId, User-Agent, country, countryCode, cpu, isp, lat, lon, org, query, region, regionName, timezone, zip, and id, until a fix is applied.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2017-17713

Affected Products

Trape

PT-2017-14964 · Trape · Trape

CVE-2017-17713

Weakness Enumeration

Related Identifiers

Affected Products

References · 7