漏洞标题
N/A
漏洞描述信息
**争议性** VCS虚拟程序管理企业内部网(VPMi)3.3中存在SQL注入漏洞,允许远程攻击者通过UpdateID0参数向Service_Requests.asp执行任意SQL命令。注意:此信息的来源未知;仅从第三方信息获取详细信息。注意:供应商对这个问题表示否认,并称[我们]有一个幕后复杂的状态管理系统,使用JavaScript和会话状态(服务器端)的组合键来保护免受你描述的那种SQL注入攻击。我们测试了许多案例,并没有发现这个问题。进一步的调查表明,原始研究者可能使用无效字段值触发错误,但这并不能证明SQL注入;然而,供应商没有收到原始研究者的回复。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
SQL injection vulnerability in VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3 allows remote attackers to execute arbitrary SQL commands via the UpdateID0 parameter to Service_Requests.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this issue, saying that "[we] have a behind the scenes complex state management system that uses a combination of keys placed in JavaScript and Session State (server side) that protects against the type of SQL injection you describe. We have tested for many of the cases and have not found it to be an issue." Further investigation suggests that the original researcher might have triggered errors using invalid field values, which is not proof of SQL injection; however, the vendor did not receive a response from the original researcher
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Virtual Communication Services VPMi Enterprise Service_Requests.ASP SQL注入漏洞
漏洞描述信息
** 有争议 ** VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3中存在SQL注入漏洞。远程攻击者可以借助指向Service_Requests.asp的UpdateID0参数执行任意SQL命令。注意:此信息的来源不详;详情由第三方独家提供。注意:厂商对此问题有争议,说"[我们]具有后台复杂状态管理系统,使用位于JavaScript和Session State(服务器端)中的密钥组合,可以防范你们所说的那种类型的SQL注入。我们已在
CVSS信息
N/A
漏洞类别
SQL注入