CVE-2019-19986
HIGHSelesta Visual Access Manager 4.15.0-4.29.0 - Unauthenticated SQL Injection via persoid Parameter
Title source: llmDescription
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP (POST or GET) parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based (this means that relies on error messages thrown by the database server to obtain information about the structure of the database).
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html
Product, Vendor Advisory x_refsource_misc
https://www.seling.it/product/vam/
Product x_refsource_misc
https://www.seling.it/
Scores
CVSS v3
7.5
EPSS
0.0133
EPSS Percentile
68.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-89
Status
published
Products (1)
seling/visual_access_manager
4.15.0 - 4.29.0
Published
Feb 26, 2020
Tracked Since
Feb 18, 2026