netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/add_getlogin.php.
SQL Injection vulnerability (CWE-94) occurs in the /admin/add_getlogin.php script. An attacker can submit a crafted HTTP request containing malicious SQL code that is executed directly by the database engine without proper validation or parameterization of input data. No privileges or user interaction are required, meaning the attack can be performed remotely by any person with network access to the device.
An attacker can gain unauthorized access to data stored in the database, modify or delete data, and under favorable conditions take full control of the system — resulting in breach of confidentiality, integrity, and availability.
Apply patches available from the manufacturer according to references. As a temporary measure, it is recommended to restrict network access to the administration panel only from trusted IP addresses and place the administration interface behind a firewall or in an isolated management network.
Netentsec NS-ASG version 6.3 (device firmware and software)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNetentsec Ns Asg
HWNetentsecwszystkie wersjeNetentsec Ns Asg Firmware
OSNetentsec6.3
Related vulnerabilities
SQL Injection w Netentsec NS-ASG 6.3 — panel administracyjny
SQL Injection w Netentsec NS-ASG 6.3 via edit_fire_wall.php
SQL Injection w Netentsec NS-ASG 6.3 — panel administracyjny
netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/export_excel_user.php.
netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/config_ISCGroupSSLCert.php.