PT-2018-4439 · Rxtec · Radmin

Thomas Konrad

Published

2018-09-24

Updated

2018-11-13

CVE-2015-8298

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions RXTEC RXAdmin UPDATE 06 / 2012

Description The issue concerns SQL injection vulnerabilities in the login page. Remote attackers can execute arbitrary SQL commands by manipulating specific parameters to the index.htm page, including the loginpassword, loginusername, zusatzlicher, and groupid parameters, or by altering the rxtec cookie.

Recommendations For RXTEC RXAdmin UPDATE 06 / 2012, consider restricting access to the login page until a fix is available, and avoid using the vulnerable parameters loginpassword, loginusername, zusatzlicher, and groupid in the index.htm page, as well as the rxtec cookie.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2015-8298

Affected Products

Radmin

PT-2018-4439 · Rxtec · Radmin

CVE-2015-8298

Weakness Enumeration

Related Identifiers

Affected Products

References · 4