An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HBmc Control M\/managed File Transfer
APPBmc9.0.20 – 9.0.22
Related vulnerabilities
BMC Control-M/MFT — zakodowane na stałe dane logowania w kodzie (hardcoded credentials)
An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthen...
BMC Control-M/Agent: Bypass ACL przez NULL byte w certyfikacie klienta
BMC Control-M/Agent: Authentication Bypass przez niezabezpieczony keystore
Path traversal w BMC Control-M/Agent prowadzący do privilege escalation