{"api_version":"1","generated_at":"2026-05-15T00:08:52+00:00","cve":"CVE-2015-6004","urls":{"html":"https://cve.report/CVE-2015-6004","api":"https://cve.report/api/cve/CVE-2015-6004.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2015-6004","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2015-6004"},"summary":{"title":"CVE-2015-6004","description":"Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter.","state":"PUBLISHED","assigner":"certcc","published_at":"2015-12-27 03:59:00","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-89","n/a"],"metrics":[{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.5","severity":"","vector":"AV:N/AC:L/Au:S/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems","name":"https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"Information Security: Multiple Disclosures for ... | Rapid7 Community","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/79506","name":"http://www.securityfocus.com/bid/79506","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Ipswitch WhatsUp Gold Multiple HTML Injection and SQL Injection Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.kb.cert.org/vuls/id/176160","name":"https://www.kb.cert.org/vuls/id/176160","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"],"title":"Vulnerability Note VU#176160 - IPswitch WhatsUp Gold contains multiple XSS vulnerabilities and a SQLi","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://twitter.com/ipswitch/statuses/677558623229317121","name":"http://twitter.com/ipswitch/statuses/677558623229317121","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"JavaScript is not available.","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.securitytracker.com/id/1034833","name":"http://www.securitytracker.com/id/1034833","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Ipswitch WhatsUp Input Validation Flaws Let Remote Users Conduct SQL Injection and Cross-Site Scripting Attacks - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2015-6004","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-6004","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2015","cve_id":"6004","vulnerable":"1","versionEndIncluding":"16.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"progress","cpe5":"whatsup_gold","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T07:06:35.184Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"VU#176160","tags":["third-party-advisory","x_refsource_CERT-VN","x_transferred"],"url":"https://www.kb.cert.org/vuls/id/176160"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://twitter.com/ipswitch/statuses/677558623229317121"},{"name":"1034833","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id/1034833"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems"},{"name":"79506","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/79506"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2015-12-16T00:00:00.000Z","descriptions":[{"lang":"en","value":"Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2016-12-02T20:57:01.000Z","orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc"},"references":[{"name":"VU#176160","tags":["third-party-advisory","x_refsource_CERT-VN"],"url":"https://www.kb.cert.org/vuls/id/176160"},{"tags":["x_refsource_CONFIRM"],"url":"http://twitter.com/ipswitch/statuses/677558623229317121"},{"name":"1034833","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id/1034833"},{"tags":["x_refsource_MISC"],"url":"https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems"},{"name":"79506","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/79506"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cert@cert.org","ID":"CVE-2015-6004","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"VU#176160","refsource":"CERT-VN","url":"https://www.kb.cert.org/vuls/id/176160"},{"name":"http://twitter.com/ipswitch/statuses/677558623229317121","refsource":"CONFIRM","url":"http://twitter.com/ipswitch/statuses/677558623229317121"},{"name":"1034833","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1034833"},{"name":"https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems","refsource":"MISC","url":"https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems"},{"name":"79506","refsource":"BID","url":"http://www.securityfocus.com/bid/79506"}]}}}},"cveMetadata":{"assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","assignerShortName":"certcc","cveId":"CVE-2015-6004","datePublished":"2015-12-27T02:00:00.000Z","dateReserved":"2015-08-14T00:00:00.000Z","dateUpdated":"2024-08-06T07:06:35.184Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2015-12-27 03:59:00","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-89","n/a"],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*","versionEndIncluding":"16.3","matchCriteriaId":"0956392B-9072-4C26-BB8A-9DFD92594C57"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2015","CveId":"6004","Ordinal":"1","Title":"CVE-2015-6004","CVE":"CVE-2015-6004","Year":"2015"},"notes":[{"CveYear":"2015","CveId":"6004","Ordinal":"1","NoteData":"Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter.","Type":"Description","Title":"CVE-2015-6004"},{"CveYear":"2015","CveId":"6004","Ordinal":"2","NoteData":"2015-12-26","Type":"Other","Title":"Published"},{"CveYear":"2015","CveId":"6004","Ordinal":"3","NoteData":"2016-12-02","Type":"Other","Title":"Modified"}]}}}