Details of VAR-201712-0122

ID

VAR-201712-0122

CVE

CVE-2017-16733

TITLE

Ecava IntegraXor In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-011530

DESCRIPTION

A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 and prior. The SQL Injection vulnerability has been identified, which an attacker can leverage to disclose sensitive information from the database. Authentication is not required to exploit this vulnerability.The specific flaw exists within the batchlist report page. When parsing the 'to' parameter, the process does not properly validate a user-supplied string before using it to construct SQL queries. Ecava IntegraXor is a collection of tools for creating and running human-machine interfaces for web-based SCADA systems. An attacker can leverage these issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Ecava IntegraXor 6.1.1030.1 and prior versions are vulnerable

Trust: 3.24

sources: NVD: CVE-2017-16733 // JVNDB: JVNDB-2017-011530 // ZDI: ZDI-17-999 // CNVD: CNVD-2017-37694 // BID: 102223 // IVD: e2dfcf22-39ab-11e9-9906-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2dfcf22-39ab-11e9-9906-000c29342cb1 // CNVD: CNVD-2017-37694

AFFECTED PRODUCTS

vendor:	ecava	model:	integraxor	scope:	lte	version:	6.1.1030.1	Trust: 1.8
vendor:	ecava	model:	integraxor	scope:	eq	version:	6.1.1030.1	Trust: 0.9
vendor:	ecava	model:	integraxor	scope:	-	version:	-	Trust: 0.7
vendor:	ecava	model:	integraxor	scope:	lte	version:	<=6.1.1030.1	Trust: 0.6
vendor:	ecava	model:	integraxor	scope:	eq	version:	6.0.522.1	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.6.4000.5	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.6.4000.0	Trust: 0.3
vendor:	integraxor	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2dfcf22-39ab-11e9-9906-000c29342cb1 // ZDI: ZDI-17-999 // CNVD: CNVD-2017-37694 // BID: 102223 // JVNDB: JVNDB-2017-011530 // CNNVD: CNNVD-201712-744 // NVD: CVE-2017-16733

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-16733
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-16733
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2017-16733
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2017-37694
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201712-744
value:	MEDIUM
Trust: 0.6
IVD:	e2dfcf22-39ab-11e9-9906-000c29342cb1
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2017-16733
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5
CNVD:	CNVD-2017-37694
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2dfcf22-39ab-11e9-9906-000c29342cb1
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-16733
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: IVD: e2dfcf22-39ab-11e9-9906-000c29342cb1 // ZDI: ZDI-17-999 // CNVD: CNVD-2017-37694 // JVNDB: JVNDB-2017-011530 // CNNVD: CNNVD-201712-744 // NVD: CVE-2017-16733

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2017-011530 // NVD: CVE-2017-16733

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-744

TYPE

SQL injection

Trust: 0.8

sources: IVD: e2dfcf22-39ab-11e9-9906-000c29342cb1 // CNNVD: CNNVD-201712-744

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011530

PATCH

title:	Top Page	url:	https://www.integraxor.com/	Trust: 0.8
title:	Ecava has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-17-353-03	Trust: 0.7
title:	Patch for Ecava IntegraXor SQL Injection Vulnerability (CNVD-2017-37694)	url:	https://www.cnvd.org.cn/patchInfo/show/111297	Trust: 0.6
title:	Ecava IntegraXor SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77236	Trust: 0.6

sources: ZDI: ZDI-17-999 // CNVD: CNVD-2017-37694 // JVNDB: JVNDB-2017-011530 // CNNVD: CNNVD-201712-744

EXTERNAL IDS

db:	NVD	id:	CVE-2017-16733	Trust: 4.2
db:	ICS CERT	id:	ICSA-17-353-03	Trust: 2.7
db:	BID	id:	102223	Trust: 0.9
db:	CNVD	id:	CNVD-2017-37694	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-744	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-011530	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-5385	Trust: 0.7
db:	ZDI	id:	ZDI-17-999	Trust: 0.7
db:	ICS CERT	id:	ICSA-17-353-04	Trust: 0.6
db:	IVD	id:	E2DFCF22-39AB-11E9-9906-000C29342CB1	Trust: 0.2

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-353-03	Trust: 3.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16733	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-16733	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-353-04	Trust: 0.6
url:	https://www.securityfocus.com/bid/102223	Trust: 0.6
url:	http://www.integraxor.com/	Trust: 0.3

sources: ZDI: ZDI-17-999 // CNVD: CNVD-2017-37694 // BID: 102223 // JVNDB: JVNDB-2017-011530 // CNNVD: CNNVD-201712-744 // NVD: CVE-2017-16733

CREDITS

Steven Seeley of Source Incite Michael DePlante and Brad Taylor

Trust: 0.7

sources: ZDI: ZDI-17-999

SOURCES

db:	IVD	id:	e2dfcf22-39ab-11e9-9906-000c29342cb1
db:	ZDI	id:	ZDI-17-999
db:	CNVD	id:	CNVD-2017-37694
db:	BID	id:	102223
db:	JVNDB	id:	JVNDB-2017-011530
db:	CNNVD	id:	CNNVD-201712-744
db:	NVD	id:	CVE-2017-16733

LAST UPDATE DATE

2025-04-20T23:12:43.877000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-17-999	date:	2017-12-20T00:00:00
db:	CNVD	id:	CNVD-2017-37694	date:	2017-12-21T00:00:00
db:	BID	id:	102223	date:	2017-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-011530	date:	2018-01-18T00:00:00
db:	CNNVD	id:	CNNVD-201712-744	date:	2017-12-25T00:00:00
db:	NVD	id:	CVE-2017-16733	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	e2dfcf22-39ab-11e9-9906-000c29342cb1	date:	2017-12-21T00:00:00
db:	ZDI	id:	ZDI-17-999	date:	2017-12-20T00:00:00
db:	CNVD	id:	CNVD-2017-37694	date:	2017-12-21T00:00:00
db:	BID	id:	102223	date:	2017-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-011530	date:	2018-01-18T00:00:00
db:	CNNVD	id:	CNNVD-201712-744	date:	2017-12-21T00:00:00
db:	NVD	id:	CVE-2017-16733	date:	2017-12-20T19:29:00.317