Published: 29/01/2012 Updated: 02/02/2012

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 770

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) prior to 3.64 allow remote malicious users to execute arbitrary SQL commands via the (1) exc[] parameter to report_marketing.php, (2) selected[] parameter to tasks.php, (3) sites[] parameter to billable_incidents.php, or (4) search_string parameter to search.php. NOTE: some of these details are obtained from third party information.

Vulnerable Product	Search on Vulmon	Subscribe to Product
sitracker support incident tracker 3.32
sitracker support incident tracker 3.31
sitracker support incident tracker 3.30
sitracker support incident tracker 3.51
sitracker support incident tracker 3.50
sitracker support incident tracker 3.45
sitracker support incident tracker 3.41
sitracker support incident tracker 3.22
sitracker support incident tracker 3.21
sitracker support incident tracker 3.63
sitracker support incident tracker 3.61
sitracker support incident tracker 3.6
sitracker support incident tracker 3.40
sitracker support incident tracker 3.35
sitracker support incident tracker 3.24
sitracker support incident tracker 3.22pl1
sitracker support incident tracker 3.62
sitracker support incident tracker 3.60
sitracker support incident tracker 3.36
sitracker support incident tracker 3.33
sitracker support incident tracker 3.23
sitracker support incident tracker

source: wwwsecurityfocuscom/bid/48896/info Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulner ...

source: wwwsecurityfocuscom/bid/48896/info Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vuln ...

source: wwwsecurityfocuscom/bid/48896/info Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vu ...

source: wwwsecurityfocuscom/bid/48896/info Support Incident Tracker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit ...

CWE-89 http://secunia.com/advisories/45437 http://secunia.com/advisories/45277 http://en.securitylab.ru/lab/PT-2011-25 http://sitracker.org/wiki/ReleaseNotes364 http://seclists.org/bugtraq/2011/Jul/174 https://nvd.nist.gov https://www.exploit-db.com/exploits/35985/

CVE-2011-5071

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect