Vulnerability Note VU#217836
Wave EMBASSY Remote Administration Server SQL injection vulnerabilities
The Wave EMBASSY Remote Administration Server (ERAS) contains the ERAS Help Desk application that fails to filter user input allowing for the exploitation of SQL injection vulnerabilities. These vulnerabilities may allow a remote authenticated attacker to execute procedures or SQL queries and updates on the vulnerable database application as well as command execution on the target server.
The ERAS 2.8.4 and 2.9.5 Help Desk application has been reported to contain vulnerabilities to blind SQL injection as well as command execution on the target server. The vulnerability requires that the attacker be authenticated in the application.
CWE-79 - Blind SQL Injection - CVE-2013-3577
A remote attacker may be able to execute SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of the database. Additionally, an attacker may be able to execute operating system commands on the server, potentially allowing them to gain control of the server itself.
Apply an Update
Please consider the following workarounds if you are unable to upgrade.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Wave||Affected||14 May 2013||18 Jul 2013|
CVSS Metrics (Learn More)
Thanks to Simone Cecchini from Verizon Enterprise Solutions (GCIS Threat and Vulnerability Management) for discovering this vulnerability. Also, thanks to Thierry Zoller from Verizon Enterprise Solutions for reporting this vulnerability.
This document was written by Chris King.
- CVE IDs: CVE-2013-3577 CVE-2013-3578
- Date Public: 12 Jul 2013
- Date First Published: 12 Jul 2013
- Date Last Updated: 29 Jul 2013
- Document Revision: 23
If you have feedback, comments, or additional information about this vulnerability, please send us email.