CVE-2018-7841
CVE-2018-7841
In short
U.motion Builder 1.3.4 allows attackers to inject malicious SQL code through improper character input, potentially gaining unauthorized access to the database or executing arbitrary commands on the system.
Technical detail
SQL Injection vulnerability in U.motion Builder 1.3.4 allows remote attackers to execute arbitrary SQL queries by crafting specially-formatted input that bypasses input validation, enabling unauthorized database access, data exfiltration, or code execution depending on database permissions and application context.
Summary generated and translated by AI from the official description.
A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
U.motion · U.motion Builder software version 1.3.4public PoCs found — 2
cve_referencepacketstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.htmlunverifiedexploitdbwww.exploit-db.com/exploits/46846unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2019/May/26https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7841https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02