Command Centre
CVE-2021-23230
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
A SQL Injection vulnerability in the OPCUA interface of Gallagher Command Centre allows a remote unprivileged Command Centre Operator to modify Command Centre databases undetected. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions.
AnalysisAI
A SQL Injection vulnerability in the OPCUA interface of Gallagher Command Centre allows a remote unprivileged Command Centre Operator to modify Command Centre databases undetected. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. A SQL Injection vulnerability in the OPCUA interface of Gallagher Command Centre allows a remote unprivileged Command Centre Operator to modify Command Centre databases undetected. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); 8.30 versions prior to 8.30.1359 (MR3); 8.20 versions prior to 8.20.1259 (MR5); 8.10 versions prior to 8.10.1284 (MR7); version 8.00 and prior versions. Affected products include: Gallagher Command Centre. Version information: prior to 8.40.1888.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
More in Command Centre
View allIt is possible to enumerate access card credentials via an unauthenticated network connection to the server in versions
An issue was discovered in Gallagher Command Centre 8.10 before 8.10.1092(MR2). Rated critical severity (CVSS 9.8), this
Improper Authorization vulnerability in Gallagher Command Centre Server allows command line macros to be modified by an
Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote
Improper Authentication vulnerability in Gallagher Command Centre Server allows an unauthenticated remote attacker to cr
Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid conf
Improper Encoding or Escaping in Gallagher Command Centre Server allows a Command Centre Operator to alter the configura
Unquoted service path vulnerability in the Gallagher Controller Service allows an unprivileged user to execute arbitrary
In Gallagher Command Centre versions 8.10 prior to 8.10.1134(MR4), 8.00 prior to 8.00.1161(MR5), 7.90 prior to 7.90.991(
A stack-based buffer overflow in the Command Centre Server allows an attacker to cause a denial of service attack via as
An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV
It is possible for an unauthenticated remote DCOM websocket connection to crash the Command Centre service due to an out
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today