Published: 08/02/2018 Updated: 09/10/2019

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 755

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

This vulnerability allows remote malicious users to execute arbitrary code on vulnerable installations of Quest NetVault Backup 11.3.0.12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NVBUPhaseStatus Acknowledge method requests. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the underlying database. Was ZDI-CAN-4228.

Vulnerable Product	Search on Vulmon	Subscribe to Product
quest netvault backup 11.3.0.12

# Exploit Title: Quest NetVault Backup Server < 1145 Process Manager Service SQL Injection Remote Code Execution Vulnerability (ZDI-17-982) # Date: 2-21-2019 # Exploit Author: credit goes to rgod for finding the bug # Version: Quest NetVault Backup Server < 1145 # CVE : CVE-2017-17417 # There is a decent description of the bug here: http ...

Quest NetVault Backup Server versions prior to 1145 suffer from process manager service SQL injection and remote code execution vulnerabilities ...

CWE-89 https://zerodayinitiative.com/advisories/ZDI-17-982 https://www.exploit-db.com/exploits/46446/https://nvd.nist.gov https://www.exploit-db.com/exploits/46446

CVE-2017-17417

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect