| VID |
210022 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Novell ZENworks Patch Management is vulnerable to an SQL injection vulnerability via the downloadreport.asp script. The Novell ZENworks Patch Management is the product of the patch and vulnerability management solution for medium and large enterprise networks. ZENworks Patch Management versions prior to 6.3.2.700 could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input passed to the 'agentid' and 'pass' parameters of the '/dagent/downloadreport.asp' script. A remote attacker could exploit this vulnerability to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
https://secure-support.novell.com/KanisaPlatform/Publishing/298/3506963_f.SAL_Public.html
http://www.frsirt.com/english/advisories/2006/4864
http://secunia.com/advisories/23243
* Platforms Affected:
Novell ZENworks Patch Management versions prior to 6.3.2.700 |
| Recommendation |
Upgrade to the latest version of Novell ZENworks Patch Management (6.3.2.700 or later), available from the Novell ZENworks Patch Management Web site at http://www.novell.com/products/zenworks/patchmanagement/ |
| Related URL |
CVE-2006-6450 (CVE) |
| Related URL |
21473 (SecurityFocus) |
| Related URL |
30768 (ISS) |
|
