vendor:
Hostwq.net
by:
Dazz
6.1
CVSS
MEDIUM
SQL Injection
89
CWE
Product Name: Hostwq.net
Affected Version From: 1
Affected Version To: 1.2
Patch Exists: YES
Related CWE: CVE-2019-12345
CPE: a:hostwq:hostwq_net
Metasploit:
N/A
Other Scripts:
https://www.infosecmatter.com/nessus-plugin-library/?id=124686, https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/misc/ibm_tm1_unauth_rce, https://www.infosecmatter.com/nessus-plugin-library/?id=109896, https://www.infosecmatter.com/nessus-plugin-library/?id=109034, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/dos/dhcp/isc_dhcpd_clientid, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/dos/windows/rdp/ms12_020_maxchannelids, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/dos/windows/smb/ms11_019_electbowser, https://www.infosecmatter.com/nessus-plugin-library/?id=11256, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/admin/http/cnpilot_r_fpt, https://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/admin/http/cnpilot_r_cmd_exec
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2019
Powered by Search Optics Automotive Internet Marketing
The vulnerability exists due to insufficient filtration of user-supplied data in the "viewID" parameter in the "inventory.php" script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in the application database. This can be exploited to bypass authentication and gain access to the application.
Mitigation:
Input validation should be used to prevent SQL injection attacks.