CVE-2010-0712

Zenoss < 2.5 - Authenticated SQL Injection via Events API Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-0712. PoCs published by nGenuity Information Services.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Zenoss 2.3.3 by injecting a malicious SQL query into the 'getJSONEventsInfo' endpoint, potentially allowing an attacker to write arbitrary data to a file on the server.

Description

Multiple SQL injection vulnerabilities in zport/dmd/Events/getJSONEventsInfo in Zenoss 2.3.3, and other versions before 2.5, allow remote authenticated users to execute arbitrary SQL commands via the (1) severity, (2) state, (3) filter, (4) offset, and (5) count parameters.

Exploits (1)

exploitdb WORKING POC VERIFIED

by nGenuity Information Services · textwebappsmultiple

https://www.exploit-db.com/exploits/33511

View Code ZIP pw:eip

This exploit demonstrates a SQL injection vulnerability in Zenoss 2.3.3 by injecting a malicious SQL query into the 'getJSONEventsInfo' endpoint, potentially allowing an attacker to write arbitrary data to a file on the server.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Zenoss 2.3.3

No auth needed

Prerequisites: Network access to the target Zenoss instance

MITRE ATT&CK