CVE-2015-6004

moderate-risk
Published 2015-12-27

Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter.

Do I need to act?

!
11.5% chance of exploitation in next 30 days
EPSS score — higher than 89% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Progress

References (10)

Vendor Advisory http://twitter.com/ipswitch/statuses/677558623229317121
http://www.securityfocus.com/bid/79506
http://www.securitytracker.com/id/1034833
Exploit https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosu...
Third Party Advisory https://www.kb.cert.org/vuls/id/176160
Vendor Advisory http://twitter.com/ipswitch/statuses/677558623229317121
http://www.securityfocus.com/bid/79506
http://www.securitytracker.com/id/1034833
Exploit https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosu...
Third Party Advisory https://www.kb.cert.org/vuls/id/176160
40
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 11/34 · Low
Exposure 5/34 · Minimal