Vulnerability Summary - Title: Quest NetVault Backup Server Process Manager Service NVBUEventHistory Get Method SQL Injection Remote Code Execution Vulnerability - ZDI Identifiers: ZDI-17-974, ZDI-CAN-4223 - CVE ID: CVE-2017-17412 - CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) - Affected Vendors: Quest - Affected Products: NetVault Backup - Vulnerability Details: - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Quest NetVault Backup. - Authentication is not required to exploit this vulnerability. - The specific flaw is due to the lack of proper validation of a user-supplied string before using it to construct SQL queries. - Additional Details: Fixed in NVBU 11.4.5 - Disclosure Timeline: - 2017-12-06: Vulnerability reported to vendor - 2017-12-15: Coordinated public release of advisory - Credit: rgod