Athoc
CVE-2023-21521
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
An SQL Injection vulnerability in the Management Console (Operator Audit Trail) of BlackBerry AtHoc version 7.15 could allow an attacker to potentially read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
AnalysisAI
An SQL Injection vulnerability in the Management Console (Operator Audit Trail) of BlackBerry AtHoc version 7.15 could allow an attacker to potentially read sensitive data from the database, modify. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. An SQL Injection vulnerability in the Management Console (Operator Audit Trail) of BlackBerry AtHoc version 7.15 could allow an attacker to potentially read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database, recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. Affected products include: Blackberry Athoc. Version information: version 7.15.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
A Reflected Cross-site Scripting (XSS) vulnerability in the Management Console (Reports) of BlackBerry AtHoc version 7.1
An XML External Entity Injection (XXE) vulnerability in the Management System (console) of BlackBerry AtHoc versions ear
A Stored Cross-site Scripting (XSS) vulnerability in the Management Console (User Management and Alerts) of BlackBerry A
A PII Enumeration via Credential Recovery in the Self Service (Credential Recovery) of BlackBerry AtHoc version 7.15 cou
A Stored Cross-Site Scripting (XSS) vulnerability in the Management Console of BlackBerry AtHoc version 7.15 could allow
An Insecure Direct Object Reference (IDOR) vulnerability in the Management Console of BlackBerry® AtHoc® (OnPrem) versio
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today