PT-2019-15790 · Napc Xinet · Napc Xinet Elegant 6 Asset Library
Hyp3Rlinx
·
Published
2019-12-02
·
Updated
2025-02-02
·
CVE-2019-19245
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NAPC Xinet Elegant 6 Asset Library version 6.1.655
Description
The issue allows for Pre-Authentication SQL Injection via the "/elegant6/login" API endpoint, specifically through the
username field in the LoginForm when double quotes are used.Recommendations
For NAPC Xinet Elegant 6 Asset Library version 6.1.655, avoid using double quotes in the
username field of the LoginForm at the "/elegant6/login" API endpoint until a fix is available. Consider temporarily restricting access to this endpoint to minimize the risk of exploitation.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Napc Xinet Elegant 6 Asset Library