Description
The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability.
Remediation
References
Related Vulnerabilities
Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-3273)
Jenkins Deserialization of Untrusted Data Vulnerability (CVE-2017-1000355)
WordPress Plugin BackUpWordPress Remote File Inclusion (0.4.2b)
WordPress Plugin YITH Color and Label Variations for WooCommerce Security Bypass (1.8.11)