Web application abuses : webERP Information Disclosure, SQL Injection, and Cross Site Scripting Vulnerabilities

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.103343

Category: Web application abuses

Title: webERP Information Disclosure, SQL Injection, and Cross Site Scripting Vulnerabilities

Summary: webERP is prone to information-disclosure, SQL-injection, and cross-;site scripting vulnerabilities because it fails to sufficiently;sanitize user-supplied input.;;An attacker may exploit the information-disclosure issue to gain;access to sensitive information that may lead to further attacks.;;An attacker may exploit the SQL-injection issue to compromise the;application, access or modify data, or exploit latent vulnerabilities;in the underlying database.;;An attacker may leverage the cross-site scripting issue to execute;arbitrary script code in the browser of an unsuspecting user in the;context of the affected site. This may allow the attacker to steal cookie-;based authentication credentials and launch other attacks.;;webERP 4.0.5 is vulnerable. Prior versions may also be affected.

Description: Summary:
webERP is prone to information-disclosure, SQL-injection, and cross-
site scripting vulnerabilities because it fails to sufficiently
sanitize user-supplied input.

An attacker may exploit the information-disclosure issue to gain
access to sensitive information that may lead to further attacks.

An attacker may exploit the SQL-injection issue to compromise the
application, access or modify data, or exploit latent vulnerabilities
in the underlying database.

An attacker may leverage the cross-site scripting issue to execute
arbitrary script code in the browser of an unsuspecting user in the
context of the affected site. This may allow the attacker to steal cookie-
based authentication credentials and launch other attacks.

webERP 4.0.5 is vulnerable. Prior versions may also be affected.

Solution:
Vendor updates are available. Please see the references for more
information.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Copyright Copyright (C) 2011 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.103343
Category:	Web application abuses
Title:	webERP Information Disclosure, SQL Injection, and Cross Site Scripting Vulnerabilities
Summary:	webERP is prone to information-disclosure, SQL-injection, and cross-;site scripting vulnerabilities because it fails to sufficiently;sanitize user-supplied input.;;An attacker may exploit the information-disclosure issue to gain;access to sensitive information that may lead to further attacks.;;An attacker may exploit the SQL-injection issue to compromise the;application, access or modify data, or exploit latent vulnerabilities;in the underlying database.;;An attacker may leverage the cross-site scripting issue to execute;arbitrary script code in the browser of an unsuspecting user in the;context of the affected site. This may allow the attacker to steal cookie-;based authentication credentials and launch other attacks.;;webERP 4.0.5 is vulnerable. Prior versions may also be affected.
Description:	Summary: webERP is prone to information-disclosure, SQL-injection, and cross- site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks. An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie- based authentication credentials and launch other attacks. webERP 4.0.5 is vulnerable. Prior versions may also be affected. Solution: Vendor updates are available. Please see the references for more information. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Copyright	Copyright (C) 2011 Greenbone AG