[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Accentis Content Resource Management System - SQL

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Accentis Content Resource Management System - SQL
From: GalaxyCVEcollector@xxxxxxxxx
Date: Mon, 2 Nov 2015 06:14:56 GMT

Issue 1
# Vulnerability type: SQL Injection
# Vendor: http://www.accentis.com.au/
# Product: Accentis Content Resource Management System
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan
# CVE ID: CVE-2015-3424

# PROOF OF CONCEPT (SQLi)

Accentis Content Resource Management System before October 2015 patch contains 
SQL Injection (SQLi) vulnerability which allows authenticated users to inject 
SQL statements via the following parameter.

# VULNERABLE PARAMETER:
- SIDX

# SAMPLE PAYLOAD
- '

# TIMELINE
- 15/04/2015: Vulnerability found
- 09/07/2015: Vendor informed
- 09/07/2015: Vendor responded and acknowledged
- 28/10/2015: Vendor fixed the issue
- 02/11/2015: Public disclosure

Prev by Date: Cross-Site Scripting | Zeuscart V4
Next by Date: Accentis Content Resource Management System - XSS
Previous by thread: Cross-Site Scripting | Zeuscart V4
Next by thread: Accentis Content Resource Management System - XSS
Index(es):
- Date
- Thread