CVE-2021-35487: SQL Injection
First published: Wed May 25 2022(Updated: )
Nokia Broadcast Message Center through 11.1.0 allows an authenticated user to perform a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates (for the Manage Alerts page) via the extIdentifier HTTP POST parameter. This allows an attacker to obtain the database user, database name, and database version information, and potentially database data.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nokia Broadcast Message Center | <=11.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-35487?
The severity of CVE-2021-35487 is medium.
How can an authenticated user exploit CVE-2021-35487?
An authenticated user can exploit CVE-2021-35487 by performing a Boolean Blind SQL Injection attack on the endpoint /owui/block/send-receive-updates via the extIdentifier HTTP POST parameter.
What can an attacker obtain by exploiting CVE-2021-35487?
By exploiting CVE-2021-35487, an attacker can obtain the database user and data.
What is the affected software for CVE-2021-35487?
The affected software for CVE-2021-35487 is Nokia Broadcast Message Center up to and including version 11.1.0.
Is there any additional information available for CVE-2021-35487?
Yes, additional information can be found at the following references: [1] and [2].
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/nokia
- canonical/nokia broadcast message center
- version/nokia broadcast message center/11.1.0