Details of VAR-201702-0921

ID

VAR-201702-0921

CVE

CVE-2016-9333

TITLE

Moxa SoftCMS SQL Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2016-11357 // CNNVD: CNNVD-201611-430

DESCRIPTION

An issue was discovered in Moxa SoftCMS versions prior to Version 1.6. The SoftCMS Application does not properly sanitize input that may allow a remote attacker access to SoftCMS with administrator's privilege through specially crafted input (SQL INJECTION). Moxa SoftCMS is a set of central management software developed by Moxa for large-scale monitoring systems. The software supports real-time video surveillance, video playback, and event management. An attacker can exploit the vulnerability to run arbitrary code, the application may be denied service conditions due to excessive consumption of resources, access or modify data, or exploit the potential vulnerability in the underlying database to gain database administrator permissions. Moxa SoftCMS is prone to multiple security vulnerabilities. Attackers can exploit this vulnerability to execute arbitrary SQL commands

Trust: 2.52

sources: NVD: CVE-2016-9333 // JVNDB: JVNDB-2016-007635 // CNVD: CNVD-2016-11357 // BID: 94394 // VULHUB: VHN-98153

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-11357

AFFECTED PRODUCTS

vendor:	moxa	model:	softcms	scope:	eq	version:	1.5	Trust: 1.5
vendor:	moxa	model:	softcms	scope:	lte	version:	1.5	Trust: 1.0
vendor:	moxa	model:	softcms	scope:	eq	version:	1.4	Trust: 0.9
vendor:	moxa	model:	softcms	scope:	eq	version:	1.3	Trust: 0.9
vendor:	moxa	model:	softcms	scope:	eq	version:	1.2	Trust: 0.9
vendor:	moxa	model:	softcms	scope:	lt	version:	1.6	Trust: 0.8
vendor:	moxa	model:	softcms	scope:	ne	version:	1.6	Trust: 0.3

sources: CNVD: CNVD-2016-11357 // BID: 94394 // JVNDB: JVNDB-2016-007635 // CNNVD: CNNVD-201611-430 // NVD: CVE-2016-9333

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-9333
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-9333
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-11357
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201611-430
value:	HIGH
Trust: 0.6
VULHUB:	VHN-98153
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-9333
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	CVE-2016-9333
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2016-11357
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-98153
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-9333
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	CVE-2016-9333
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2016-11357 // VULHUB: VHN-98153 // JVNDB: JVNDB-2016-007635 // CNNVD: CNNVD-201611-430 // NVD: CVE-2016-9333

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-98153 // JVNDB: JVNDB-2016-007635 // NVD: CVE-2016-9333

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201611-430

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201611-430

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-007635

PATCH

title:	SoftCMS	url:	http://www.moxa.com/product/SoftCMS.htm	Trust: 0.8
title:	Patch for Moxa SoftCMS SQL Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/84132	Trust: 0.6
title:	Moxa SoftCMS SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=65771	Trust: 0.6

sources: CNVD: CNVD-2016-11357 // JVNDB: JVNDB-2016-007635 // CNNVD: CNNVD-201611-430

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9333	Trust: 3.4
db:	ICS CERT	id:	ICSA-16-322-02	Trust: 2.8
db:	BID	id:	94394	Trust: 2.6
db:	JVNDB	id:	JVNDB-2016-007635	Trust: 0.8
db:	CNNVD	id:	CNNVD-201611-430	Trust: 0.7
db:	CNVD	id:	CNVD-2016-11357	Trust: 0.6
db:	ZDI	id:	ZDI-16-615	Trust: 0.3
db:	VULHUB	id:	VHN-98153	Trust: 0.1

sources: CNVD: CNVD-2016-11357 // VULHUB: VHN-98153 // BID: 94394 // JVNDB: JVNDB-2016-007635 // CNNVD: CNNVD-201611-430 // NVD: CVE-2016-9333

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-322-02	Trust: 2.8
url:	http://www.securityfocus.com/bid/94394	Trust: 2.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9333	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-9333	Trust: 0.8
url:	http://www.moxa.com/product/softcms.htm	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-16-615/	Trust: 0.3

sources: CNVD: CNVD-2016-11357 // VULHUB: VHN-98153 // BID: 94394 // JVNDB: JVNDB-2016-007635 // CNNVD: CNNVD-201611-430 // NVD: CVE-2016-9333

CREDITS

Zhou Yu working with Trend Micro???s Zero Day Initiative and Gu Ziqiang from Huawei Weiran Labs.

Trust: 0.6

sources: CNNVD: CNNVD-201611-430

SOURCES

db:	CNVD	id:	CNVD-2016-11357
db:	VULHUB	id:	VHN-98153
db:	BID	id:	94394
db:	JVNDB	id:	JVNDB-2016-007635
db:	CNNVD	id:	CNNVD-201611-430
db:	NVD	id:	CVE-2016-9333

LAST UPDATE DATE

2025-04-20T23:22:30.208000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-11357	date:	2016-11-21T00:00:00
db:	VULHUB	id:	VHN-98153	date:	2017-06-28T00:00:00
db:	BID	id:	94394	date:	2016-12-20T16:03:00
db:	JVNDB	id:	JVNDB-2016-007635	date:	2017-03-08T00:00:00
db:	CNNVD	id:	CNNVD-201611-430	date:	2016-11-22T00:00:00
db:	NVD	id:	CVE-2016-9333	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-11357	date:	2016-11-21T00:00:00
db:	VULHUB	id:	VHN-98153	date:	2017-02-13T00:00:00
db:	BID	id:	94394	date:	2016-11-17T00:00:00
db:	JVNDB	id:	JVNDB-2016-007635	date:	2017-03-08T00:00:00
db:	CNNVD	id:	CNNVD-201611-430	date:	2016-11-22T00:00:00
db:	NVD	id:	CVE-2016-9333	date:	2017-02-13T21:59:01.533