CVE-2019-17128

Netreo OmniCenter through 12.1.1 allows unauthenticated SQL Injection (Boolean Based Blind) in the redirect parameters and parameter name of the login page through a GET request. The injection allows an attacker to read sensitive information from the database used by the application.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
netreoomnicenter
𝑥
≤ 12.1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/154763/OmniCenter-12.1.1-SQL-Injection.html
https://www.netreo.com/blog/omnicenter-12-now-available-extensible-integration-unlimited-scalability-device-grouping/
http://packetstormsecurity.com/files/154763/OmniCenter-12.1.1-SQL-Injection.html
https://www.netreo.com/blog/omnicenter-12-now-available-extensible-integration-unlimited-scalability-device-grouping/