CVE-2016-1914

Name of the Vulnerable Software and Affected Versions BlackBerry Enterprise Server 12 (BES12) Self-Service versions prior to 12.4

Description The issue concerns SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet. Remote attackers can execute arbitrary SQL commands via the imageName parameter to various API endpoints, including "mydevice/client/image", "admin/client/image", "myapps/client/image", "ssam/client/image", or "all/client/image".

Recommendations For versions prior to 12.4, update to version 12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable ImageServlet servlet until a patch is applied. Avoid using the imageName parameter in the affected API endpoints until the issue is resolved.