CVE-2017-7997

moderate-risk
Published 2018-01-08

Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow remote attackers to execute arbitrary SQL commands via the (1) show_prn parameter to webapp/users/prnow.jsp or show_month parameter to (2) webapp/users/blhistory.jsp or (3) webapp/users/prhistory.jsp.

Do I need to act?

!
10.6% chance of exploitation in next 30 days
EPSS score — higher than 89% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
43447
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Gespage

References (6)

Exploit http://seclists.org/fulldisclosure/2018/Jan/14
Exploit https://sysdream.com/news/lab/2018-01-02-cve-2017-7997-gespage-sql-injection-vul...
Exploit https://www.exploit-db.com/exploits/43447/
Exploit http://seclists.org/fulldisclosure/2018/Jan/14
Exploit https://sysdream.com/news/lab/2018-01-02-cve-2017-7997-gespage-sql-injection-vul...
Exploit https://www.exploit-db.com/exploits/43447/
48
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 11/34 · Low
Exposure 5/34 · Minimal