Details of VAR-201608-0258

ID

VAR-201608-0258

CVE

CVE-2016-5792

TITLE

Moxa SoftCMS SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2016-06107 // CNNVD: CNNVD-201608-056

DESCRIPTION

SQL injection vulnerability in Moxa SoftCMS before 1.5 allows remote attackers to execute arbitrary SQL commands via unspecified fields. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getcaminfo.asp script. When parsing the VWID element, the process fails to properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute arbitrary code in the context of the database access process, which runs as Administrator. Moxa SoftCMS is a set of central management software suitable for monitoring systems. Versions prior to Moxa SoftCMS 1.5 is vulnerable. The software supports real-time video monitoring, video playback and event management, etc

Trust: 3.15

sources: NVD: CVE-2016-5792 // JVNDB: JVNDB-2016-004385 // ZDI: ZDI-16-463 // CNVD: CNVD-2016-06107 // BID: 92262 // VULHUB: VHN-94611

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-06107

AFFECTED PRODUCTS

vendor:	moxa	model:	softcms	scope:	eq	version:	1.4	Trust: 1.5
vendor:	moxa	model:	softcms	scope:	lte	version:	1.4	Trust: 1.0
vendor:	moxa	model:	softcms	scope:	eq	version:	1.3	Trust: 0.9
vendor:	moxa	model:	softcms	scope:	eq	version:	1.2	Trust: 0.9
vendor:	moxa	model:	softcms	scope:	lt	version:	1.5	Trust: 0.8
vendor:	moxa	model:	softcms	scope:	-	version:	-	Trust: 0.7
vendor:	moxa	model:	softcms	scope:	ne	version:	1.5	Trust: 0.3

sources: ZDI: ZDI-16-463 // CNVD: CNVD-2016-06107 // BID: 92262 // JVNDB: JVNDB-2016-004385 // CNNVD: CNNVD-201608-056 // NVD: CVE-2016-5792

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-5792
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-5792
value:	CRITICAL
Trust: 0.8
ZDI:	CVE-2016-5792
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2016-06107
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201608-056
value:	HIGH
Trust: 0.6
VULHUB:	VHN-94611
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-5792
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2016-5792
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
CNVD:	CNVD-2016-06107
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-94611
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-5792
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: ZDI: ZDI-16-463 // CNVD: CNVD-2016-06107 // VULHUB: VHN-94611 // JVNDB: JVNDB-2016-004385 // CNNVD: CNNVD-201608-056 // NVD: CVE-2016-5792

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-94611 // JVNDB: JVNDB-2016-004385 // NVD: CVE-2016-5792

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201608-056

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201608-056

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-004385

PATCH

title:	SoftCMS Trial version	url:	http://www.moxa.com/support/download.aspx?type=support&id=11362	Trust: 0.8
title:	Moxa has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-16-215-01	Trust: 0.7
title:	Patch for Moxa SoftCMS SQL Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/80147	Trust: 0.6
title:	Moxa SoftCMS SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63445	Trust: 0.6

sources: ZDI: ZDI-16-463 // CNVD: CNVD-2016-06107 // JVNDB: JVNDB-2016-004385 // CNNVD: CNNVD-201608-056

EXTERNAL IDS

db:	NVD	id:	CVE-2016-5792	Trust: 4.1
db:	ICS CERT	id:	ICSA-16-215-01	Trust: 2.8
db:	ZDI	id:	ZDI-16-463	Trust: 2.1
db:	BID	id:	92262	Trust: 2.0
db:	JVNDB	id:	JVNDB-2016-004385	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-3757	Trust: 0.7
db:	CNNVD	id:	CNNVD-201608-056	Trust: 0.7
db:	CNVD	id:	CNVD-2016-06107	Trust: 0.6
db:	VULHUB	id:	VHN-94611	Trust: 0.1

sources: ZDI: ZDI-16-463 // CNVD: CNVD-2016-06107 // VULHUB: VHN-94611 // BID: 92262 // JVNDB: JVNDB-2016-004385 // CNNVD: CNNVD-201608-056 // NVD: CVE-2016-5792

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-215-01	Trust: 3.5
url:	http://www.securityfocus.com/bid/92262	Trust: 1.1
url:	http://www.zerodayinitiative.com/advisories/zdi-16-463	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5792	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-5792	Trust: 0.8
url:	http://www.securityfocus.com/bid/92262/	Trust: 0.6
url:	http://www.moxa.com/product/softcms.htm	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-16-463/	Trust: 0.3

sources: ZDI: ZDI-16-463 // CNVD: CNVD-2016-06107 // VULHUB: VHN-94611 // BID: 92262 // JVNDB: JVNDB-2016-004385 // CNNVD: CNNVD-201608-056 // NVD: CVE-2016-5792

CREDITS

Zhou Yu

Trust: 0.7

sources: ZDI: ZDI-16-463

SOURCES

db:	ZDI	id:	ZDI-16-463
db:	CNVD	id:	CNVD-2016-06107
db:	VULHUB	id:	VHN-94611
db:	BID	id:	92262
db:	JVNDB	id:	JVNDB-2016-004385
db:	CNNVD	id:	CNNVD-201608-056
db:	NVD	id:	CVE-2016-5792

LAST UPDATE DATE

2025-04-13T23:32:38.101000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-16-463	date:	2016-08-10T00:00:00
db:	CNVD	id:	CNVD-2016-06107	date:	2016-08-08T00:00:00
db:	VULHUB	id:	VHN-94611	date:	2016-11-28T00:00:00
db:	BID	id:	92262	date:	2016-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2016-004385	date:	2016-08-18T00:00:00
db:	CNNVD	id:	CNNVD-201608-056	date:	2016-08-08T00:00:00
db:	NVD	id:	CVE-2016-5792	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-16-463	date:	2016-08-10T00:00:00
db:	CNVD	id:	CNVD-2016-06107	date:	2016-08-08T00:00:00
db:	VULHUB	id:	VHN-94611	date:	2016-08-08T00:00:00
db:	BID	id:	92262	date:	2016-08-02T00:00:00
db:	JVNDB	id:	JVNDB-2016-004385	date:	2016-08-18T00:00:00
db:	CNNVD	id:	CNNVD-201608-056	date:	2016-08-04T00:00:00
db:	NVD	id:	CVE-2016-5792	date:	2016-08-08T00:59:11.673