CVE-2020-29574

CVSS 9.8 CRITICALEPSS 4.7%● KEVCWE-89

In short

An attacker can inject malicious SQL commands into the WebAdmin interface of Cyberoam OS without needing a password, allowing them to steal or manipulate all data in the database.

Technical detail

SQL injection vulnerability in Cyberoam OS WebAdmin accepts unsanitized user input in SQL queries, enabling unauthenticated remote attackers to execute arbitrary SQL statements with database privileges. Attack vector is network-based with no authentication required, leading to complete confidentiality, integrity, and availability compromise.

Summary generated and translated by AI from the official description.

An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.bleepingcomputer.com/news/security/sophos-fixes-sql-injection-vulnerability-in-their-cyberoam-os/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29574 https://www.cyberoam.com/ngfw.html