|Very easy to exploit|
|(other affected products)||Published: Mon Dec 2 14:15:00 2019 UTC. Last Modified: Wed Dec 11 20:23:00 2019 UTC|
CPE matches: cpe:2.3:a:napc:xinet_elegant_6_asset_library:6.1.655:*:*:*:*:*:*:*
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used.
- Complete loss of protection.
- Access to all information.
- Full Denial Of Service (DoS).
- Remote attacking is possible through the network and can be done by anyone (requires no authentication).
- No user interaction is required.
- The attack is estimated to have a high success rate, once attempted.
Damage and attack conditions obtained from CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSSv3)
Type of bug(s)
- CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.