VU#427547: Agile FleetCommander and FleetCommander Kiosk versions prior to 4.08 contain multiple vulnerabilities
Vulnerability Note VU#427547
Agile FleetCommander and FleetCommander Kiosk versions prior to 4.08 contain multiple vulnerabilities
Original Release date: 07 Nov 2012 | Last revised: 07 Nov 2012
Agile FleetCommander and FleetCommander Kiosk were found to have multiple XSS, CSRF, information disclosure and SQLi vulnerabilities.
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CVE-2012-4941
SQL Injection Vulnerabilities: Multiple query string parameters for both authenticated and unauthenticated users are not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2012-4942
CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2012-4943
CWE-280: Improper Handling of Insufficient Permissions or Privileges – CVE-2012-4944
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) – CVE-2012-4945
CWE-326: Inadequate Encryption Strength – CVE-2012-4946
CWE-312: Cleartext Storage of Sensitive Information – CVE-2012-4947
A remote unauthenticated attacker may obtain sensitive information, cause a denial of service condition or execute arbitrary code with the privileges of the application.
The vendor has stated that these vulnerabilities have been addressed in version 4.08, version 4.08.01 and version 4.09.00. The vendor recommends that users update to version 4.09.00 or higher.
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Agile FleetCommander||Affected||14 Mar 2012||30 Oct 2012|
If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Travis Lee for reporting this vulnerability.
This document was written by Michael Orlando.
07 Nov 2012
Date First Published:
07 Nov 2012
Date Last Updated:
07 Nov 2012
If you have feedback, comments, or additional information about this vulnerability, please send us email.
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify
The original article/video can be found at VU#427547: Agile FleetCommander and FleetCommander Kiosk versions prior to 4.08 contain multiple vulnerabilities