Navis WebAccess Builds < August 10, 2016 SQLi

High Nessus Network Monitor Plugin ID 9562


The detected version of Navis WebAccess may be vulnerable to an SQL Injection (SQL) attack vector.


Versions of Navis WebAccess built befeore August 10, 2016 are affected by a flaw that may allow carrying out an SQL injection attack. The issue is due to the '/express/' script not properly sanitizing input to the 'GKEY' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (CVE-2016-5817).


Upgrade WebAccess to a version built on August 10, 2016 or later.

See Also

Plugin Details

Severity: High

ID: 9562

File Name: 9562.prm

Family: SCADA

Published: 2016/09/12

Modified: 2016/10/26

Dependencies: 9561

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C


Base Score: 7.3

Temporal Score: 7


Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:navis:navis_webaccess

Patch Publication Date: 2016/08/10

Vulnerability Publication Date: 2016/08/08

Reference Information

CVE: CVE-2016-5817

BID: 92526

OSVDB: 142684