Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-2718

Overview

Vulnerability Score 6.5 6.5
CVE Id CVE-2006-2718
Last Modified 05 Sep 2008 05:05:15
Published 31 May 2006 09:02:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2006-2718

Summary

JIWA Financials 6.4.14 passes a Microsoft SQL Server account's username and password, and the name of a data source, to a Crystal Reports .rpt file, which allows remote authenticated users to execute certain standard stored procedures by referencing them in a user-written .rpt file, as demonstrated by using a stored procedure that provides the username and cleartext password of every account.

Vulnerable Systems

Application

  • Jiwa Financials 6.4.14


References

SECUNIA - 20342

BUGTRAQ - 20060530 Jiwa Financials - Reporting allows execution of arbitrary reports as SQL user with full permissions.

FULLDISC - 20060529 Jiwa Financials - Reporting allows execution of arbitrary reports as SQL user with full permissions.

XF - jiwa-financials-information-disclosure(26756)

BUGTRAQ - 20060602 Re: Jiwa Financials - Reporting allows execution of arbitrary reports as SQL user with full permissions.

SECTRACK - 1016181

SREASON - 1000


Last Updated: 27 May 2016 10:42:44