Home / os / winmobile

Accentis Content Resource Management System SQL Injection

Posted on 03 November 2015

Issue 1 # Vulnerability type: SQL Injection # Vendor: http://www.accentis.com.au/ # Product: Accentis Content Resource Management System # Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan # CVE ID: CVE-2015-3424 # PROOF OF CONCEPT (SQLi) Accentis Content Resource Management System before October 2015 patch contains SQL Injection (SQLi) vulnerability which allows authenticated users to inject SQL statements via the following parameter. # VULNERABLE PARAMETER: - SIDX # SAMPLE PAYLOAD - ' # TIMELINE - 15/04/2015: Vulnerability found - 09/07/2015: Vendor informed - 09/07/2015: Vendor responded and acknowledged - 28/10/2015: Vendor fixed the issue - 02/11/2015: Public disclosure

 

TOP