CVE-2021-40842

CRITICAL

Proofpoint Insider Threat Management Server <7.11.2 - SQL Injection

Title source: llm
STIX 2.1

Description

Proofpoint Insider Threat Management Server contains a SQL injection vulnerability in the Web Console. The vulnerability exists due to improper input validation on the database name parameter required in certain unauthenticated APIs. A malicious URL visited by anyone with network access to the server could be used to blindly execute arbitrary SQL statements on the backend database. Version 7.12.0 and all versions prior to 7.11.2 are affected.

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0096
EPSS Percentile 57.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (2)
proofpoint/insider_threat_management_server 7.12.0
proofpoint/insider_threat_management_server < 7.11.2
Published Oct 13, 2021
Tracked Since Feb 18, 2026