netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/edit_virtual_site_info.php.
An attacker sends a crafted HTTP request to the /admin/edit_virtual_site_info.php endpoint, injecting malicious SQL code into input parameters that are not properly validated or parameterized. This allows manipulation of queries directed to the device's database. The lack of authentication requirement (PR:N, UI:N) makes it possible for the attack to be performed remotely without prior access to the system.
An attacker can gain unauthorized access to data stored in the database, modify or delete configuration data, and depending on the database server permissions — potentially take control of the device.
Apply patches available from the manufacturer according to the references. As a temporary workaround, it is recommended to restrict network access to the admin panel exclusively to trusted IP addresses and implement firewall rules blocking access to the /admin/ interface from external networks.
Netentsec NS-ASG version 6.3 (firmware and application).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNetentsec Ns Asg
HWNetentsecwszystkie wersjeNetentsec Ns Asg Firmware
OSNetentsec6.3
Related vulnerabilities
SQL Injection w Netentsec NS-ASG 6.3 via /admin/add_getlogin.php
SQL Injection w Netentsec NS-ASG 6.3 via edit_fire_wall.php
SQL Injection w Netentsec NS-ASG 6.3 — panel administracyjny
netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/export_excel_user.php.
netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/config_ISCGroupSSLCert.php.