RETIRED: GroundWork Monitor Enterprise 'Noma' Component Multiple Input Validation Vulnerabilities
BID:58403
Info
RETIRED: GroundWork Monitor Enterprise 'Noma' Component Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 58403 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 08 2013 12:00AM |
| Updated: | May 09 2013 02:02PM |
| Credit: | Johannes Greil from SEC Consult Vulnerability Lab |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
RETIRED: GroundWork Monitor Enterprise 'Noma' Component Multiple Input Validation Vulnerabilities
The Noma component of GroundWork Monitor Enterprise is prone to a cross-site request forgery vulnerability, multiple cross-site scripting vulnerabilities, multiple HTML-injection vulnerabilities, and an SQL injection vulnerability because the application does not properly sanitize user-supplied inputs.
Exploiting these issues could allow an attacker to perform certain administrative actions and gain unauthorized access to the affected application, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
GroundWork Monitor Enterprise 6.7.0 is vulnerable; other versions may also be affected.
This BID is being retired. The following individual records exist to better document the issues:
59778 GroundWork Monitor Enterprise CVE-2013-3513 Multiple SQL Injection Vulnerabilities
59780 GroundWork Monitor Enterprise CVE-2013-3501 Cross Site Scripting and HTML Injection Vulnerabilities
59781 GroundWork Monitor Enterprise CVE-2013-3513 Multiple Cross Site Request Forgery Vulnerabilities
The Noma component of GroundWork Monitor Enterprise is prone to a cross-site request forgery vulnerability, multiple cross-site scripting vulnerabilities, multiple HTML-injection vulnerabilities, and an SQL injection vulnerability because the application does not properly sanitize user-supplied inputs.
Exploiting these issues could allow an attacker to perform certain administrative actions and gain unauthorized access to the affected application, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
GroundWork Monitor Enterprise 6.7.0 is vulnerable; other versions may also be affected.
This BID is being retired. The following individual records exist to better document the issues:
59778 GroundWork Monitor Enterprise CVE-2013-3513 Multiple SQL Injection Vulnerabilities
59780 GroundWork Monitor Enterprise CVE-2013-3501 Cross Site Scripting and HTML Injection Vulnerabilities
59781 GroundWork Monitor Enterprise CVE-2013-3513 Multiple Cross Site Request Forgery Vulnerabilities
Exploit / POC
RETIRED: GroundWork Monitor Enterprise 'Noma' Component Multiple Input Validation Vulnerabilities
Attackers can exploit these issues using browser. To exploit cross-site scripting and cross-site request forgery issues, the attacker must entice an unsuspecting victim to follow a malicious URI.
Attackers can exploit these issues using browser. To exploit cross-site scripting and cross-site request forgery issues, the attacker must entice an unsuspecting victim to follow a malicious URI.
Solution / Fix
RETIRED: GroundWork Monitor Enterprise 'Noma' Component Multiple Input Validation Vulnerabilities
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
RETIRED: GroundWork Monitor Enterprise 'Noma' Component Multiple Input Validation Vulnerabilities
References:
References: