Product: OPTOSS Next Gen Network Management System (NG-NetMS)
Version affected: NG-NetMS v3.6-2 and earlier versions
Opt/Net develops Next Gen Network Management System (NG-NetMS). This is a new web based end-to-end management tool. This project is nearly 14 years old and already proved to be indispensable tool for rapid data collection during audits and network infrastructure assessments.
This product provides near real-time visibility of the networks and ITC infrastructures and interconnected computing resources.
CVE ID: CVE-2019-1000023
CWE ID: CWE-89
#Proof of Concept
The unauthenticated SQL Injection vulnerability can be exploited by issuing a specially crafted HTTP GET request. NG-NetMS v3.4 application fails to properly sanitize untrusted data before adding it to a SQL query. A malicious attacker can include own SQL commands which database will execute.
Identified vulnerable parameters: id, id_access_type and id_attr_access.
The following HTTP GET request allows an attacker to exploit the SQL injection vulnerability to return banner information.