Details of VAR-201502-0089

ID

VAR-201502-0089

CVE

CVE-2015-1605

TITLE

Dell ScriptLogic Asset Manager In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-001620

DESCRIPTION

Multiple SQL injection vulnerabilities in Dell ScriptLogic Asset Manager (aka Quest Workspace Asset Manager) before 9.5 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to (1) GetClientPackage.aspx or (2) GetProcessedPackage.aspx. Authentication is not required to exploit this vulnerability.To exploit this security flaw, an attacker would make a specially crafted web request to a handler named GetClientPackage.aspx that is installed as part of this product. An attacker can leverage this vulnerability to execute code under the context of NETWORK SERVICE. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dell ScriptLogic Asset Manager is a tool developed by Dell for managing software and hardware assets

Trust: 3.24

sources: NVD: CVE-2015-1605 // JVNDB: JVNDB-2015-001620 // ZDI: ZDI-15-049 // ZDI: ZDI-15-048 // BID: 72697 // VULHUB: VHN-79566

AFFECTED PRODUCTS

vendor:	dell	model:	asset manager	scope:	-	version:	-	Trust: 1.4
vendor:	dell	model:	asset manager	scope:	lte	version:	9.0.0	Trust: 1.0
vendor:	dell	model:	asset manager	scope:	lt	version:	9.5	Trust: 0.8
vendor:	dell	model:	asset manager	scope:	eq	version:	9.0.0	Trust: 0.6

sources: ZDI: ZDI-15-049 // ZDI: ZDI-15-048 // JVNDB: JVNDB-2015-001620 // CNNVD: CNNVD-201502-357 // NVD: CVE-2015-1605

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2015-1605
value:	HIGH
Trust: 1.4
nvd@nist.gov:	CVE-2015-1605
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-1605
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201502-357
value:	HIGH
Trust: 0.6
VULHUB:	VHN-79566
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-1605
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 3.2
VULHUB:	VHN-79566
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: ZDI: ZDI-15-049 // ZDI: ZDI-15-048 // VULHUB: VHN-79566 // JVNDB: JVNDB-2015-001620 // CNNVD: CNNVD-201502-357 // NVD: CVE-2015-1605

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-79566 // JVNDB: JVNDB-2015-001620 // NVD: CVE-2015-1605

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201502-357

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201502-357

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-001620

PATCH

title:

Asset Manager

url:

https://support.software.dell.com/asset-manager/9.5

Trust: 2.2

sources: ZDI: ZDI-15-049 // ZDI: ZDI-15-048 // JVNDB: JVNDB-2015-001620

EXTERNAL IDS

db:	NVD	id:	CVE-2015-1605	Trust: 4.2
db:	ZDI	id:	ZDI-15-049	Trust: 3.2
db:	ZDI	id:	ZDI-15-048	Trust: 3.2
db:	BID	id:	72697	Trust: 2.0
db:	JVNDB	id:	JVNDB-2015-001620	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2335	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-2334	Trust: 0.7
db:	CNNVD	id:	CNNVD-201502-357	Trust: 0.7
db:	VULHUB	id:	VHN-79566	Trust: 0.1

sources: ZDI: ZDI-15-049 // ZDI: ZDI-15-048 // VULHUB: VHN-79566 // BID: 72697 // JVNDB: JVNDB-2015-001620 // CNNVD: CNNVD-201502-357 // NVD: CVE-2015-1605

REFERENCES

url:	http://www.zerodayinitiative.com/advisories/zdi-15-048/	Trust: 2.5
url:	http://www.zerodayinitiative.com/advisories/zdi-15-049/	Trust: 2.5
url:	http://www.securityfocus.com/bid/72697	Trust: 1.7
url:	https://support.software.dell.com/asset-manager/9.5	Trust: 1.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-1605	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-1605	Trust: 0.8

sources: ZDI: ZDI-15-049 // ZDI: ZDI-15-048 // VULHUB: VHN-79566 // JVNDB: JVNDB-2015-001620 // CNNVD: CNNVD-201502-357 // NVD: CVE-2015-1605

CREDITS

Andrea Micalizzi (rgod)

Trust: 1.7

sources: ZDI: ZDI-15-049 // ZDI: ZDI-15-048 // BID: 72697

SOURCES

db:	ZDI	id:	ZDI-15-049
db:	ZDI	id:	ZDI-15-048
db:	VULHUB	id:	VHN-79566
db:	BID	id:	72697
db:	JVNDB	id:	JVNDB-2015-001620
db:	CNNVD	id:	CNNVD-201502-357
db:	NVD	id:	CVE-2015-1605

LAST UPDATE DATE

2025-04-13T23:42:05.065000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-15-049	date:	2015-02-20T00:00:00
db:	ZDI	id:	ZDI-15-048	date:	2015-02-20T00:00:00
db:	VULHUB	id:	VHN-79566	date:	2015-02-25T00:00:00
db:	BID	id:	72697	date:	2015-02-20T00:00:00
db:	JVNDB	id:	JVNDB-2015-001620	date:	2015-02-26T00:00:00
db:	CNNVD	id:	CNNVD-201502-357	date:	2015-02-27T00:00:00
db:	NVD	id:	CVE-2015-1605	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-15-049	date:	2015-02-20T00:00:00
db:	ZDI	id:	ZDI-15-048	date:	2015-02-20T00:00:00
db:	VULHUB	id:	VHN-79566	date:	2015-02-24T00:00:00
db:	BID	id:	72697	date:	2015-02-20T00:00:00
db:	JVNDB	id:	JVNDB-2015-001620	date:	2015-02-26T00:00:00
db:	CNNVD	id:	CNNVD-201502-357	date:	2015-02-27T00:00:00
db:	NVD	id:	CVE-2015-1605	date:	2015-02-24T15:59:07.613