CVE-2019-19986

An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP (POST or GET) parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based (this means that relies on error messages thrown by the database server to obtain information about the structure of the database).
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:seling:visual_access_manager:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-02-26 16:15

Updated : 2024-02-04 20:39


NVD link : CVE-2019-19986

Mitre link : CVE-2019-19986

CVE.ORG link : CVE-2019-19986


JSON object : View

Products Affected

seling

  • visual_access_manager
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')