Description
SQL injection vulnerability in IT/hardware-list.dll in Kwoksys Kwok Information Server before 2.8.5 allows remote authenticated users to execute arbitrary SQL commands via the (1) hardwareType, (2) hardwareStatus, or (3) hardwareLocation parameter in a search command.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Yogesh Phadtare · textwebappscgi
https://www.exploit-db.com/exploits/38691
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
http://www.kwoksys.com/wiki/index.php?title=Release_Notes
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/87067
Exploit x_refsource_misc
http://packetstormsecurity.com/files/123193
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/86363
Scores
EPSS
0.0046
EPSS Percentile
64.1%
Details
CWE
CWE-89
Status
published
Products (2)
kwoksys/information_server
2.8.3
kwoksys/information_server
< 2.8.4
Published
Oct 11, 2013
Tracked Since
Feb 18, 2026