Ecava IntegraXor 5.0.413.0 getdata Requests Handling Multiple SQLi

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A SCADA application installed on the remote Windows host is affected
by multiple SQL injection vulnerabilities.

Description :

The version of Ecava IntegraXor installed on the remote Windows host
is version 5.0.413.0. It is, therefore, affected by the following
vulnerabilities :

- A SQL injection vulnerability exists in the web server
component due to improper sanitization of user-supplied
input to the 'name' parameter in getdata requests. An
unauthenticated, remote attacker can exploit this to
inject or manipulate SQL queries, resulting in the
disclosure or manipulation of arbitrary data.
(CVE-2016-8341 / ZDI-17-058)

- A SQL injection vulnerability exists in the web server
component due to improper sanitization of user-supplied
input to the 'param' parameter in getdata requests. An
unauthenticated, remote attacker can exploit this to
inject or manipulate SQL queries, resulting in the
disclosure or manipulation of arbitrary data.
(CVE-2016-8341 / ZDI-17-059)

See also :

http://www.nessus.org/u?2a1f3927
http://www.nessus.org/u?fc85aa91
http://www.nessus.org/u?79c030b4

Solution :

Upgrade to Ecava IntegraXor version 5.2.722.2 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: SCADA

Nessus Plugin ID: 97327 ()

Bugtraq ID: 95907

CVE ID: CVE-2016-8341

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now