CVE-2014-2949 – F5 Data Manager discoverFilerBasicInfo.jsft filerName SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-2949
SQL injection vulnerability in the web service in F5 ARX Data Manager 3.0.0 through 3.1.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el servicio web en F5 ARX Data Manager 3.0.0 hasta 3.1.0 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of F5 Data Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the discoverFilerBasicInfo.jsft page. An attacker is able to inject SQL through the filerName field in this page, and use that to gain full administrator credentials for Data Manager. • http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15310.html?sr=38021626 http://www.kb.cert.org/vuls/id/210884 http://www.securityfocus.com/bid/68078 http://www.zerodayinitiative.com/advisories/ZDI-14-293 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •