PT-2020-16439 · Damstra · Damstra Smart Asset

Lukasz Studniarz

Published

2020-10-02

Updated

2020-10-06

CVE-2020-26525

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Damstra Smart Asset version 2020.7

Description The issue allows for SQL injection via the "API/api/Asset" endpoint, specifically through the originator parameter. This enables an attacker to force the database and server to initiate remote connections to third-party DNS servers.

Recommendations For Damstra Smart Asset version 2020.7, as a temporary workaround, consider restricting access to the "API/api/Asset" endpoint until a patch is available. Avoid using the originator parameter in this endpoint to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-26525

Affected Products

Damstra Smart Asset

PT-2020-16439 · Damstra · Damstra Smart Asset

CVE-2020-26525

Weakness Enumeration

Related Identifiers

Affected Products

References · 5