Sign In
Advisories

OpenBMCS SQL Injection via obix_test.php

Go Back
severity
high
date
Affecting

  • OpenBMCS 2.4

CWE
  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS
8.7
CVSS V4 Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Credit
LiquidWorm as Gjoko Krstic of Zero Science Lab, Semen 'samincube' Rozhkov @zeroscience
Description
OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Attackers can send GET requests to /debug/obix_test.php with malicious 'id' values to extract database information.