Summary
This host is running Adiscon LogAnalyzer and is prone to multiple SQL injection and cross site scripting vulnerabilities.
Impact
Successful exploitation will allow remote attackers to steal cookie based authentication credentials, compromise the application, access or modify data or exploit latent vulnerabilities in the underlying database.
Impact Level: Application
Solution
Upgrade to Adiscon LogAnalyzer version 3.4.3 or later, For updates refer to http://loganalyzer.adiscon.com/
Insight
Multiple flaws are due to
- Input passed via the 'filter' parameter to index.php, the 'id' parameter to admin/reports.php and admin/searches.php is not properly sanitised before being returned to the user.
- Input passed via the 'Columns[]' parameter to admin/views.php is not properly sanitised before being used in SQL queries.
Affected
Adiscon LogAnalyzer version 3.4.2 and prior
References
Severity
Classification
-
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
- Acute Control Panel SQL Injection Vulnerability and Remote File Include Vulnerability
- Atutor AContent Multiple SQL Injection and XSS Vulnerabilities
- Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability
- Avenger's News System Command Execution