SQL injection in U.motion Builder - CVE-2017-7973
Published: June 30, 2017 / Updated: June 30, 2017
Vulnerability identifier: #VU7261
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-7973
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Schneider Electric
Affected software:
U.motion Builder
U.motion Builder
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary SQL commands in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can use calls to various paths in order to perform arbitrary SQL statements and execute arbitrary SQL commands.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over vulnerable database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can use calls to various paths in order to perform arbitrary SQL statements and execute arbitrary SQL commands.
Successful exploitation of the vulnerability may allow an attacker to gain complete control over vulnerable database.
How to mitigate CVE-2017-7973
Cybersecurity Help is currently unaware of any official patch addressing the vulnerability.