Vulnerability Note VU#485324
ANTLabs InnGate gateway device contains SQL injection and reflected cross-site scripting vulnerabilities
ANTlabs InnGate is a gateway device designed for operating corporate guest/visitor networks. Multiple InnGate models have been confirmed to be vulnerable to SQL injection and cross-site scripting attacks.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-2849
The ppli URL parameter of the main.ant page is vulnerable to SQL injection. A remote attacker can perform arbitrary queries on the underlying database. According to ANTLabs, only https connections are vulnerable to this attack.
The CVSS score below is based on CVE-2015-2849.
A remote attacker may be able exploit CVE-2015-2849 to execute arbitrary queries on the backend datastore.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|ANTlabs||Affected||20 Apr 2015||06 Jul 2015|
CVSS Metrics (Learn More)
Thanks to Devesh Logendran for reporting these vulnerabilities.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-2849 CVE-2015-2850
- Date Public: 06 Jul 2015
- Date First Published: 06 Jul 2015
- Date Last Updated: 06 Jul 2015
- Document Revision: 42
If you have feedback, comments, or additional information about this vulnerability, please send us email.