CVE-2016-1595

MEDIUM

Micro Focus Novell Service Desk <7.2 - SQL Injection

Title source: llm

Description

LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter.

Exploits (1)

exploitdb WRITEUP

by Pedro Ribeiro · textwebappsjsp

https://www.exploit-db.com/exploits/39687

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/136646

[Various Sources] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/novell-service-desk-7.1.0.txt

[Vendor Advisory] https://www.novell.com/support/kb/doc.php?id=7017430

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/538043/100/0/threaded

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/39687/

Scores

CVSS v3 6.5

EPSS 0.0352

EPSS Percentile 87.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200

Status draft

Affected Products (1)

novell/service_desk < 7.1

Timeline

Published Apr 22, 2016

Tracked Since Feb 18, 2026