Details of VAR-201712-0123

ID

VAR-201712-0123

CVE

CVE-2017-16735

TITLE

Ecava IntegraXor In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-011531

DESCRIPTION

A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 and prior. The SQL Injection vulnerability has been identified, which generates an error in the database log. This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Ecava IntegraXor. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of the name parameter provided to the getdata page. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose sensitive information under the context of the database. Ecava IntegraXor is a collection of tools for creating and running human-machine interfaces for web-based SCADA systems. Ecava IntegraXor is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. Ecava IntegraXor 6.1.1030.1 and prior versions are vulnerable

Trust: 3.24

sources: NVD: CVE-2017-16735 // JVNDB: JVNDB-2017-011531 // ZDI: ZDI-17-1000 // CNVD: CNVD-2017-37693 // BID: 102223 // IVD: e2dfa810-39ab-11e9-84d4-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2dfa810-39ab-11e9-84d4-000c29342cb1 // CNVD: CNVD-2017-37693

AFFECTED PRODUCTS

vendor:	ecava	model:	integraxor	scope:	lte	version:	6.1.1030.1	Trust: 1.8
vendor:	ecava	model:	integraxor	scope:	eq	version:	6.1.1030.1	Trust: 0.9
vendor:	ecava	model:	integraxor	scope:	-	version:	-	Trust: 0.7
vendor:	ecava	model:	integraxor	scope:	lte	version:	<=6.1.1030.1	Trust: 0.6
vendor:	ecava	model:	integraxor	scope:	eq	version:	6.0.522.1	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.6.4000.5	Trust: 0.3
vendor:	ecava	model:	integraxor	scope:	eq	version:	3.6.4000.0	Trust: 0.3
vendor:	integraxor	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2dfa810-39ab-11e9-84d4-000c29342cb1 // ZDI: ZDI-17-1000 // CNVD: CNVD-2017-37693 // BID: 102223 // JVNDB: JVNDB-2017-011531 // CNNVD: CNNVD-201712-745 // NVD: CVE-2017-16735

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-16735
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-16735
value:	MEDIUM
Trust: 0.8
ZDI:	CVE-2017-16735
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2017-37693
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201712-745
value:	MEDIUM
Trust: 0.6
IVD:	e2dfa810-39ab-11e9-84d4-000c29342cb1
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2017-16735
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2017-16735
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
CNVD:	CNVD-2017-37693
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2dfa810-39ab-11e9-84d4-000c29342cb1
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-16735
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.0
Trust: 1.8

sources: IVD: e2dfa810-39ab-11e9-84d4-000c29342cb1 // ZDI: ZDI-17-1000 // CNVD: CNVD-2017-37693 // JVNDB: JVNDB-2017-011531 // CNNVD: CNNVD-201712-745 // NVD: CVE-2017-16735

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2017-011531 // NVD: CVE-2017-16735

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-745

TYPE

SQL injection

Trust: 0.8

sources: IVD: e2dfa810-39ab-11e9-84d4-000c29342cb1 // CNNVD: CNNVD-201712-745

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011531

PATCH

title:	Top Page	url:	https://www.integraxor.com/	Trust: 0.8
title:	Ecava has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-17-353-03	Trust: 0.7
title:	Patch for Ecava IntegraXor SQL Injection Vulnerability (CNVD-2017-37693)	url:	https://www.cnvd.org.cn/patchInfo/show/111295	Trust: 0.6
title:	Ecava IntegraXor SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77237	Trust: 0.6

sources: ZDI: ZDI-17-1000 // CNVD: CNVD-2017-37693 // JVNDB: JVNDB-2017-011531 // CNNVD: CNNVD-201712-745

EXTERNAL IDS

db:	NVD	id:	CVE-2017-16735	Trust: 4.2
db:	ICS CERT	id:	ICSA-17-353-03	Trust: 2.7
db:	BID	id:	102223	Trust: 0.9
db:	CNVD	id:	CNVD-2017-37693	Trust: 0.8
db:	CNNVD	id:	CNNVD-201712-745	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-011531	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-5386	Trust: 0.7
db:	ZDI	id:	ZDI-17-1000	Trust: 0.7
db:	ICS CERT	id:	ICSA-17-353-04	Trust: 0.6
db:	IVD	id:	E2DFA810-39AB-11E9-84D4-000C29342CB1	Trust: 0.2

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-353-03	Trust: 3.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16735	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-16735	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-353-04	Trust: 0.6
url:	https://www.securityfocus.com/bid/102223	Trust: 0.6
url:	http://www.integraxor.com/	Trust: 0.3

sources: ZDI: ZDI-17-1000 // CNVD: CNVD-2017-37693 // BID: 102223 // JVNDB: JVNDB-2017-011531 // CNNVD: CNNVD-201712-745 // NVD: CVE-2017-16735

CREDITS

Steven Seeley of Source Incite Michael DePlante and Brad Taylor

Trust: 0.7

sources: ZDI: ZDI-17-1000

SOURCES

db:	IVD	id:	e2dfa810-39ab-11e9-84d4-000c29342cb1
db:	ZDI	id:	ZDI-17-1000
db:	CNVD	id:	CNVD-2017-37693
db:	BID	id:	102223
db:	JVNDB	id:	JVNDB-2017-011531
db:	CNNVD	id:	CNNVD-201712-745
db:	NVD	id:	CVE-2017-16735

LAST UPDATE DATE

2025-04-20T23:12:43.953000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-17-1000	date:	2017-12-20T00:00:00
db:	CNVD	id:	CNVD-2017-37693	date:	2017-12-21T00:00:00
db:	BID	id:	102223	date:	2017-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-011531	date:	2018-01-18T00:00:00
db:	CNNVD	id:	CNNVD-201712-745	date:	2017-12-21T00:00:00
db:	NVD	id:	CVE-2017-16735	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	e2dfa810-39ab-11e9-84d4-000c29342cb1	date:	2017-12-21T00:00:00
db:	ZDI	id:	ZDI-17-1000	date:	2017-12-20T00:00:00
db:	CNVD	id:	CNVD-2017-37693	date:	2017-12-21T00:00:00
db:	BID	id:	102223	date:	2017-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2017-011531	date:	2018-01-18T00:00:00
db:	CNNVD	id:	CNNVD-201712-745	date:	2017-12-21T00:00:00
db:	NVD	id:	CVE-2017-16735	date:	2017-12-20T19:29:00.350