SQL Injection Vulnerability in Proofpoint Insider Threat Management Server
CVE-2021-40842

9.8CRITICAL

Key Information:

Vendor: Proofpoint
Status: Insider Threat Management Server
Vendor: CVE Published:; 13 October 2021

Summary

A SQL injection vulnerability exists in the Web Console of Proofpoint Insider Threat Management Server due to inadequate input validation on the database name parameter in specific unauthenticated APIs. This flaw can be exploited by a malicious URL accessed by anyone with network access, allowing them to execute arbitrary SQL statements on the backend database, potentially compromising sensitive data and overall system integrity.

References

https://www.proofpoint.com/us/security/security-advisories

x_refsource_MISC

https://www.proofpoint.com/us/security/security-advisorie...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 13, 2021
Vulnerability Reserved
Sep 10, 2021