in ,

CVE-2021-41765: Unauthenticated SQLi to RCE Chain

Advisory for CVE-2021-41765, a critical SQL injection vulnerability leading to remote code execution, by the red team.

During our assessment of the ResourceSpace code base, we found three new vulnerabilities that could be exploited by an unauthenticated attacker. The most critical is CVE-2021-41765, a pre-auth SQL injection that an attacker can abuse to gain remote code execution (RCE) privileges on the ResourceSpace server. The other two vulnerabilities identified were CVE-2021-41950, a path traversal vulnerability that can be used to delete arbitrary files on the file system, and CVE-2021-41951, a reflected cross-site scripting (XSS) vulnerability. All three vulnerabilities were promptly patched by the vendor, Montala Limited.

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Zero-Day Disclosure: PAN GlobalProtect CVE-2021-3064

ChaosDB Explained: Azure's Cosmos DB Vulnerability Walkthrou