Vulnerability Note VU#800227
OneOrZero AIMS authentication bypass and SQLi vulnerabilities
OneOrZero Action & Information Management System (AIMS) is vulnerable to an authentication bypass and SQL injection.
According to the vendor's website:
"OneOrZero AIMS is a powerful enterprise ready suite that includes a help desk, knowledge base, time manager and reporting system supported by a highly configurable and extensible Action & Information Management System that allows you to 'build your own system' on the fly."
$userResult = DB::query($sql, DSN, OOZ_SET_SHOW_SQL);
An unauthenticated remote attacker may be able to bypass authentication or leak database information.
We are currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|OneOrZero||Affected||-||12 Oct 2011|
CVSS Metrics (Learn More)
Thanks to Yuri Goltsev of Positive Technologies for reporting this vulnerability.
This document was written by Jared Allar.
- CVE IDs: Unknown
- Date Public: 12 Oct 2011
- Date First Published: 13 Oct 2011
- Date Last Updated: 13 Oct 2011
- Severity Metric: 0.07
- Document Revision: 7
If you have feedback, comments, or additional information about this vulnerability, please send us email.