icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Navis WebAccess Builds < August 10, 2016 SQLi

High

Synopsis

The detected version of Navis WebAccess may be vulnerable to an SQL Injection (SQL) attack vector.

Description

Versions of Navis WebAccess built befeore August 10, 2016 are affected by a flaw that may allow carrying out an SQL injection attack. The issue is due to the '/express/showNotice.do' script not properly sanitizing input to the 'GKEY' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (CVE-2016-5817).

Solution

Upgrade WebAccess to a version built on August 10, 2016 or later.