Detections
Analytics
Navis WebAccess Builds < August 10, 2016 SQLi
high Nessus Network Monitor Plugin ID 9562
Synopsis
The detected version of Navis WebAccess may be vulnerable to an SQL Injection (SQL) attack vector.Description
Versions of Navis WebAccess built befeore August 10, 2016 are affected by a flaw that may allow carrying out an SQL injection attack. The issue is due to the '/express/showNotice.do' script not properly sanitizing input to the 'GKEY' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (CVE-2016-5817).Solution
Upgrade WebAccess to a version built on August 10, 2016 or later.See Also
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-230-01
Plugin Details
Severity: High
ID: 9562
Family: SCADA
Published: 9/12/2016
Updated: 3/6/2019
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: High
Base Score: 7.3
Temporal Score: 7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:navis:navis_webaccess
Patch Publication Date: 8/10/2016
Vulnerability Publication Date: 8/8/2016
Reference Information
CVE: CVE-2016-5817
BID: 92526