668
VMScore

CVE-2016-4999

Published: 05/08/2016 Updated: 11/08/2016
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder prior to 0.6.0.Beta1 allows remote malicious users to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.

Vulnerable Product Search on Vulmon Subscribe to Product

dashbuilder project dashbuilder -

redhat jboss bpm suite 6.0.0

redhat jboss bpm suite 6.0.1

redhat jboss bpm suite 6.0.3

redhat jboss bpm suite 6.1

redhat jboss bpm suite 6.1.2

redhat jboss enterprise brms platform 5.0.0

redhat jboss enterprise brms platform 5.3.1

redhat jboss enterprise brms platform 6.0.0

redhat jboss enterprise brms platform 6.0.1

redhat jboss enterprise brms platform 6.0.2

redhat jboss enterprise brms platform 6.0.3

redhat jboss enterprise brms platform 6.1

redhat jboss enterprise brms platform 6.3

Vendor Advisories

A security flaw was found in the way Dashbuilder performed SQL datasets lookup requests in the Data Set Authoring UI or the Displayer editor UI A remote attacker could use this flaw to conduct SQL injection attacks via specially-crafted string filter parameter ...