CVE-2014-3857 – Kerio Control 8.3.1 - Blind SQL Injection

https://notcve.org/view.php?id=CVE-2014-3857

Multiple SQL injection vulnerabilities in Kerio Control Statistics in Kerio Control (formerly WinRoute Firewall) before 8.3.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) x_16 or (2) x_17 parameter to print.php. Múltiples vulnerabilidades de inyección SQL en Kerio Control Statistics en Kerio Control (anteriormente WinRoute Firewall) anterior a 8.3.2 permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro (1) x_16 o (2) x_17 en print.php. Kerio Control versions 8.3.1 and below suffer from a boolean-based blind remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/33954 http://fereidani.com/articles/show/76_kerio_control_8_3_1_boolean_based_blind_sql_injection http://osvdb.org/show/osvdb/108584 http://packetstormsecurity.com/files/127320/Kerio-Control-8.3.1-Blind-SQL-Injection.html http://secunia.com/advisories/59215 http://www.exploit-db.com/exploits/33954 http://www.kerio.com/support/kerio-control/release-history http://www.securityfocus.com/archive/1/532607/100/0/threaded • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •