CVE-2018-16659

CRITICAL

Rausoft ID.prove <2.95 - SQL Injection

Title source: llm

Description

An issue was discovered in Rausoft ID.prove 2.95. The login page allows SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter. Hypothetically, an attacker can utilize master..xp_cmdshell for the further privilege elevation.

Exploits (1)

exploitdb WORKING POC

by Ilya Timchenko · textwebappswindows_x86-64

https://www.exploit-db.com/exploits/45500

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/45500/

Scores

CVSS v3 9.8

EPSS 0.0200

EPSS Percentile 83.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

rausoft/id.prove 2.95

Published Sep 28, 2018

Tracked Since Feb 18, 2026