CVE-2019-19986

HIGH

Selesta Visual Access Manager 4.15.0-4.29.0 - Unauthenticated SQL Injection via persoid Parameter

Title source: llm
STIX 2.1

Description

An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP (POST or GET) parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based (this means that relies on error messages thrown by the database server to obtain information about the structure of the database).

References (3)

Core 3
Core References
Product, Vendor Advisory x_refsource_misc
https://www.seling.it/product/vam/
Product x_refsource_misc
https://www.seling.it/

Scores

CVSS v3 7.5
EPSS 0.0133
EPSS Percentile 68.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-89
Status published
Products (1)
seling/visual_access_manager 4.15.0 - 4.29.0
Published Feb 26, 2020
Tracked Since Feb 18, 2026