Main Vulnerability Database Vulnerabilities #VU12591

SQL injection in HPE Service Manager - CVE-2018-6494

Published: May 11, 2018 / Updated: September 14, 2018

Vulnerability identifier: #VU12591

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-6494

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Hewlett Packard Enterprise Development LP

Affected software:
HPE Service Manager

Detailed vulnerability description

The vulnerability allows a remote unauthenticated attacker to execute arbitrary SQL commands in web application database.

The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to vulnerable script, execute arbitrary SQL commands in web application database and gain access to arbitrary data.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

How to mitigate CVE-2018-6494

Update to versions 9.35.P6, 9.41.P6 or 9.52.P2.

Sources

https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03158656

SQL injection in HPE Service Manager - CVE-2018-6494

Detailed vulnerability description

How to mitigate CVE-2018-6494

Sources

Please verify you're human