Vulnerability Description
Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to execute arbitrary SQL commands via the (1) start parameter to portal/kb.php; (2) contractid parameter to contract_add_service.php; (3) id parameter to edit_escalation_path.php; (4) unlock, (5) lock, or (6) selected parameter to holding_queue.php; inc parameter in a report action to (7) report_customers.php or (8) report_incidents_by_site.php; (9) start parameter to search.php; or (10) sites parameter to transactions.php.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sitracker | Support Incident Tracker | <= 3.64 |
Related Weaknesses (CWE)
References
- http://secunia.com/advisories/46019Vendor Advisory
- http://sitracker.org/wiki/ReleaseNotes365
- http://www.securityfocus.com/archive/1/519636Exploit
- https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incidenExploit
- http://secunia.com/advisories/46019Vendor Advisory
- http://sitracker.org/wiki/ReleaseNotes365
- http://www.securityfocus.com/archive/1/519636Exploit
- https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_sit_support_incidenExploit
FAQ
What is CVE-2011-5072?
CVE-2011-5072 is a vulnerability with a CVSS score of 7.5 (HIGH). Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to execute arbitrary SQL commands via the (1) start parameter to portal/kb.php; (2) con...
How severe is CVE-2011-5072?
CVE-2011-5072 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-5072?
Check the references section above for vendor advisories and patch information. Affected products include: Sitracker Support Incident Tracker.