Overview
Mercator SENTINEL contains an SQL injection vulnerability that could allow an attacker to bypass authentication and access the system with administrative privileges.
Description
Mercator SENTINEL is a flight safety management system. The login form of the web interface contains an SQL injection vulnerability. Please see CERT-NPS:2011:005 for more information. |
Impact
An attacker with network access to the SENTINEL web interface could access the system with administrative privileges. |
Solution
Upgrade Credible information indicates that this vulnerability is addressed in SENTINEL version 2.0.1.0. |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 9.7 | AV:N/AC:L/Au:N/C:C/I:C/A:P |
| Temporal | 7.9 | E:F/RL:W/RC:UC |
| Environmental | 2.1 | CDP:LM/TD:L/CR:ND/IR:ND/AR:ND |
References
- http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-%C2%AB-sentinel-safety-information-management-system-%C2%BB/
- http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-suite/
- http://www.mercator.com/customers/CustMap/customermap.html
- http://cwe.mitre.org/data/definitions/89.html
Acknowledgements
Thanks to CERT-NETPEAS for reporting this vulnerability. Thanks also to ICS-CERT and aeCERT for their assistance.
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2011-1913 |
| Severity Metric: | 1.22 |
| Date Public: | 2011-06-20 |
| Date First Published: | 2011-09-15 |
| Date Last Updated: | 2012-05-10 15:06 UTC |
| Document Revision: | 16 |