vendor:
Control Manager
by:
otoy (@otoy_rood) & modpr0be (@modpr0be)
7,5
CVSS
HIGH
BlindSQL Injection
89
CWE
Product Name: Control Manager
Affected Version From: 5.5
Affected Version To: 6.0
Patch Exists: YES
Related CWE: CVE-2012-2998
CPE: a:trend_micro:control_manager
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2012
Trend Micro Control Manager 5.5/6.0 AdHocQuery BlindSQL Injection (post-auth)
Vulnerability found in AdHocQuery module inside the id parameter. By injecting payload after the id parameter, let say ' WAITFOR DELAY '0:0:5'-- the web application hung for 5 seconds, which gives us a conclusion that the web application is vulnerable to time-based sql injection.
Mitigation:
Vendor acknowledged the vulnerability and released a patch.
