Vulnerability Note VU#176160
IPswitch WhatsUp Gold contains multiple XSS vulnerabilities and a SQLi
IPSwitch's WhatsUp Gold version 16.3, and possibly previous versions, is vulnerable to SQL injection and cross-site scripting attacks.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-6004
The "Find Device" search field does not properly neutralize user input, allowing an unauthenticated (e.g., the guest account) attacker to perform SQL queries and commands by inserting ticks or percent characters.
These fields appear to be only accessible by privileged accounts (e.g., administrator accounts) and therefore are unlikely to be exploited in practice.
According to the reporters, WhatsUp Gold version 16.3 is affected by these vulnerabilities. Other versions may also be affected.
The CVSS score below is based on CVE-2015-6004.
An unauthenticated remote attacker may perform SQL commands on the backend database. An administrator may be able to perform cross-site scripting attacks on other administrators and users.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Ipswitch, Inc||Affected||16 Jul 2015||08 Sep 2015|
CVSS Metrics (Learn More)
Thanks to an anonymous researcher working with Beyond Security's SSD program, Owen Shearing of 7Safe Ltd., and Rapid7 for independently reporting SQL injection issues to us. Thanks to the anonymous researcher and Rapid7 for also reporting cross-site scripting vulnerabilities.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-6004 CVE-2015-6005
- Date Public: 16 Dec 2015
- Date First Published: 16 Dec 2015
- Date Last Updated: 27 Dec 2015
- Document Revision: 66
If you have feedback, comments, or additional information about this vulnerability, please send us email.