N/A

SQL injection vulnerability in VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3 allows remote attackers to execute arbitrary SQL commands via the UpdateID0 parameter to Service_Requests.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this issue, saying that "[we] have a behind the scenes complex state management system that uses a combination of keys placed in JavaScript and Session State (server side) that protects against the type of SQL injection you describe. We have tested for many of the cases and have not found it to be an issue." Further investigation suggests that the original researcher might have triggered errors using invalid field values, which is not proof of SQL injection; however, the vendor did not receive a response from the original researcher

N/A

N/A

Virtual Communication Services VPMi Enterprise Service_Requests.ASP SQL注入漏洞

** 有争议 ** VCS Virtual Program Management Intranet (VPMi) Enterprise 3.3中存在SQL注入漏洞。远程攻击者可以借助指向Service_Requests.asp的UpdateID0参数执行任意SQL命令。注意：此信息的来源不详；详情由第三方独家提供。注意：厂商对此问题有争议，说"[我们]具有后台复杂状态管理系统，使用位于JavaScript和Session State(服务器端)中的密钥组合，可以防范你们所说的那种类型的SQL注入。我们已在

N/A

N/A