{"vuid":"VU#122142","idnumber":"122142","name":"Mercator SENTINEL SQL injection allows authentication bypass","keywords":["CERT-NPS:2011:005"],"overview":"Mercator SENTINEL contains an SQL injection vulnerability that could allow an attacker to bypass authentication and access the system with administrative privileges.","clean_desc":"Mercator SENTINEL is a flight safety management system. The login form of the web interface contains an SQL injection vulnerability. Please see CERT-NPS:2011:005 for more information.","impact":"An attacker with network access to the SENTINEL web interface could access the system with administrative privileges.","resolution":"Upgrade Credible information indicates that this vulnerability is addressed in SENTINEL version 2.0.1.0.","workarounds":"Restrict access Restrict access to the SENTINEL web interface to trusted users and networks.","sysaffected":"","thanks":"Thanks to CERT-NETPEAS for reporting this vulnerability. Thanks also to ICS-CERT and aeCERT for their assistance.","author":"This document was written by Art Manion.","public":["http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-%C2%AB-sentinel-safety-information-management-system-%C2%BB/","http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-suite/","http://www.mercator.com/customers/CustMap/customermap.html","http://cwe.mitre.org/data/definitions/89.html"],"cveids":["CVE-2011-1913"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2011-06-21T14:06:51Z","publicdate":"2011-06-20T00:00:00Z","datefirstpublished":"2011-09-15T01:37:25Z","dateupdated":"2012-05-10T15:06:37Z","revision":16,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"3","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"4","cam_impact":"18","cam_easeofexploitation":"20","cam_attackeraccessrequired":"15","cam_scorecurrent":"1.215","cam_scorecurrentwidelyknown":"8.1","cam_scorecurrentwidelyknownexploited":"16.2","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"P","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"UC","cvss_collateraldamagepotential":"LM","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9.7","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:P","cvss_temporalscore":"7.9","cvss_environmentalscore":"2.1","cvss_environmentalvector":"CDP:LM/TD:L/CR:ND/IR:ND/AR:ND","metric":1.215,"vulnote":null}