CVE-2018-7841 – Schneider Electric U.motion Builder SQL Injection Vulnerability

https://notcve.org/view.php?id=CVE-2018-7841

A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered. Existe una vulnerabilidad de Inyección de SQL (CWE-89) en U.motion Builder versión de software 1.3.4, que podría generar la ejecución de código no deseado cuando un ajuste inapropiado de caracteres es introducido. Schneider Electric U.Motion Builder version 1.3.4 suffers from an unauthenticated command injection vulnerability in track_import_export.php. A SQL Injection vulnerability exists in U.motion Builder software which could cause unwanted code execution when an improper set of characters is entered. • https://www.exploit-db.com/exploits/46846 http://packetstormsecurity.com/files/152862/Schneider-Electric-U.Motion-Builder-1.3.4-Command-Injection.html http://seclists.org/fulldisclosure/2019/May/26 https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-02 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •