CVE-2020-26525

CRITICAL

Damstra Smart Asset <2020.7 - SQL Injection

Title source: llm

Description

Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers.

Exploits (1)

nomisec WORKING POC 1 stars

by lukaszstu · poc

https://github.com/lukaszstu/SmartAsset-SQLinj-CVE-2020-26525

View Code ZIP pw:eip

References (3)

[Product, Vendor Advisory] https://www.smartasset.com.au/

[Third Party Advisory] https://github.com/lukaszstu/SmartAsset-SQLinj-CVE-2020-26525/blob/main/README.md

[Vendor Advisory] https://support.damstratechnology.com/hc/en-us/categories/900000115446-SmartAsset-Damstra-Asset-Management-Platform

Scores

CVSS v3 9.1

EPSS 0.0842

EPSS Percentile 92.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-89

Status published

Products (1)

damstratechnology/smart_asset 2020.7

Published Oct 02, 2020

Tracked Since Feb 18, 2026