CVE-2019-10123

CRITICAL

AIS ESEL-Server 67 - SQL Injection

Title source: llm

Description

SQL Injection in Advanced InfoData Systems (AIS) ESEL-Server 67 (which is the backend for the AIS logistics mobile app) allows an anonymous attacker to execute arbitrary code in the context of the user of the MSSQL database. The default user for the database is the 'sa' user.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/46782

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Manuel Feifel · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ais_esel_server_rce.rb

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/rapid7/metasploit-framework/pull/11641/

[Vendor Advisory] https://www.ais.de

Scores

CVSS v3 9.8

EPSS 0.7980

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

ais/logistic_software < 67

Published May 31, 2019

Tracked Since Feb 18, 2026