CVE-2016-6566

The Sungard eTRAKiT3 software version 3.2.1.17 may be vulnerable to SQL injection which may allow a remote unauthenticated attacker to run a subset of SQL commands against the back-end database

Description

The valueAsString parameter inside the JSON payload contained by the ucLogin_txtLoginId_ClientStat POST parameter of the Sungard eTRAKiT3 software version 3.2.1.17 is not properly validated. An unauthenticated remote attacker may be able to modify the POST request and insert a SQL query which may then be executed by the backend server. eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.

References

Link	Tags
https://www.kb.cert.org/vuls/id/846103	third party advisory us government resource
http://www.securityfocus.com/bid/94696	vdb entry third party advisory

Frequently Asked Questions

What is the severity of CVE-2016-6566?: CVE-2016-6566 has been scored as a critical severity vulnerability.
How to fix CVE-2016-6566?: To fix CVE-2016-6566, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2016-6566 being actively exploited in the wild?: It is possible that CVE-2016-6566 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~16% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-6566?: CVE-2016-6566 affects Sungard eTRAKiT3.

Description

Category

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

References

Frequently Asked Questions