MySQL Injection Vulnerability (SQLi)

book

Article ID: 100052395

calendar_today

Updated On:

Description

Error

None

Cause

A URL encoded POST input to this API with certain prefixes will trigger a vulnerability response for some security scan software..

Resolution

Although the vulnerability is present in current versions of the product, it cannot be used to execute malicious SQL statements, access or modify data. It only affects the API logic which validates the prefix+bate combination in a Production Folder.

To prevent this vulnerability response, the API logic which validates the prefix-bates combination has been modified in eDiscovery version 10.1.1.

Issue/Introduction

Security scans may identify a MySQL Injection vulnerability (SQLi) in the following API: <Esa_Home>web/app/WEB-INF/classes/com/teneo/esa/ajax/folder.ProductionFolderAdminHandler/validateBates.

Additional Information

JIRA: CFT-4238

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"