Description

The xp_runwebtask stored procedure in the Web Tasks component of Microsoft SQL Server 7.0 and 2000, Microsoft Data Engine (MSDE) 1.0, and Microsoft Desktop Engine (MSDE) 2000 can be executed by PUBLIC, which allows an attacker to gain privileges by updating a webtask that is owned by the database owner through the msdb.dbo.mswebtasks table, which does not have strong permissions.

Remediation

References

CVE-2002-1145

Related Vulnerabilities

D3.js Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-16044)

Apache HTTP Server NULL Pointer Dereference Vulnerability (CVE-2021-26690)

WordPress 5.5.x Multiple Vulnerabilities (5.5 - 5.5.1)

Oracle Application Server Other Vulnerability (CVE-2007-2122)

Liferay Portal Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2022-42125)

Severity

Critical

Classification

CVE-2002-1145

Tags

Missing Update Known Vulnerabilities