SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName variable in SiteAdmin.ASP.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.00895 Percentile:
0.74618
CVSS Scoring
CVSS v2 Score: 7.5
Severity:
Mapped CWE(s)
CWE-89
: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
All CAPEC(s)
CAPEC-108: Command Line Execution through SQL Injection
CAPEC-109: Object Relational Mapping Injection
CAPEC-110: SQL Injection through SOAP Parameter Tampering
CAPEC-470: Expanding Control over the Operating System from the Database