{"api_version":"1","generated_at":"2026-04-22T21:02:19+00:00","cve":"CVE-2019-3661","urls":{"html":"https://cve.report/CVE-2019-3661","api":"https://cve.report/api/cve/CVE-2019-3661.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-3661","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-3661"},"summary":{"title":"CVE-2019-3661","description":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.","state":"PUBLIC","assigner":"psirt@mcafee.com","published_at":"2019-11-14 00:15:00","updated_at":"2023-11-07 03:10:00"},"problem_types":["CWE-89"],"metrics":[],"references":[{"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10304","name":"https://kc.mcafee.com/corporate/index?page=content&id=SB10304","refsource":"MISC","tags":["Vendor Advisory"],"title":"McAfee Security Bulletin - Advanced Threat Defense update fixes seven vulnerabilities (CVE-2019-3649, CVE-2019-3650, CVE-2019-3651, CVE-2019-3660, CVE-2019-3661, CVE-2019-3662, and CVE-2019-3663)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-3661","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-3661","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"3661","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mcafee","cpe5":"advanced_threat_defense","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"3661","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mcafee","cpe5":"advanced_threat_defense","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"psirt@mcafee.com","ID":"CVE-2019-3661","STATE":"PUBLIC","TITLE":"Advanced Threat Defense (ATD) - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Advanced Threat Defense (ATD)","version":{"version_data":[{"version_affected":"<","version_value":"4.8"}]}}]},"vendor_name":"McAfee"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10304","name":"https://kc.mcafee.com/corporate/index?page=content&id=SB10304"}]},"source":{"advisory":"SB10304","discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2019-11-14 00:15:00","lastModifiedDate":"2023-11-07 03:10:00","problem_types":["CWE-89"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mcafee:advanced_threat_defense:*:*:*:*:*:*:*:*","versionEndExcluding":"4.8","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"3661","Ordinal":"141269","Title":"CVE-2019-3661","CVE":"CVE-2019-3661","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"3661","Ordinal":"1","NoteData":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"3661","Ordinal":"2","NoteData":"2019-11-13","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"3661","Ordinal":"3","NoteData":"2019-11-13","Type":"Other","Title":"Modified"}]}}}