PT-2019-14962 · Netreo · Netreo Omnicenter

Published

2019-10-08

Updated

2019-10-11

CVE-2019-17128

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Netreo OmniCenter versions prior to 12.1.2

Description The issue allows unauthenticated SQL Injection, specifically Boolean Based Blind SQL Injection, in the redirect parameters and parameter name of the login page through a GET request. This enables an attacker to read sensitive information from the database used by the application.

Recommendations For Netreo OmniCenter versions prior to 12.1.2, update to a version that contains a fix for this issue to prevent SQL Injection attacks. As a temporary workaround, consider restricting access to the login page to minimize the risk of exploitation. Avoid using the vulnerable redirect parameters in the login page until the issue is resolved.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-17128

Affected Products

Netreo Omnicenter

PT-2019-14962 · Netreo · Netreo Omnicenter

CVE-2019-17128

Weakness Enumeration

Related Identifiers

Affected Products

References · 5