{"containers": {"cna": {"affected": [{"product": "Command Centre", "vendor": "Gallagher", "versions": [{"lessThanOrEqual": "7.90", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "8.30.1236(MR1)", "status": "affected", "version": "8.30", "versionType": "custom"}, {"lessThan": "8.20.1166(MR3)", "status": "affected", "version": "8.20", "versionType": "custom"}, {"lessThan": "8.10.1211(MR5)", "status": "affected", "version": "8.10", "versionType": "custom"}, {"lessThan": "8.00.1228(MR6)", "status": "affected", "version": "8.00", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-14T19:23:30.000Z", "orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "shortName": "Gallagher"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "disclosures@gallagher.com", "ID": "CVE-2020-16104", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Command Centre", "version": {"version_data": [{"version_affected": "<", "version_name": "8.30", "version_value": "8.30.1236(MR1)"}, {"version_affected": "<", "version_name": "8.20", "version_value": "8.20.1166(MR3)"}, {"version_affected": "<", "version_name": "8.10", "version_value": "8.10.1211(MR5)"}, {"version_affected": "<", "version_name": "8.00", "version_value": "8.00.1228(MR6)"}, {"version_affected": "<=", "version_value": "7.90"}]}}]}, "vendor_name": "Gallagher"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104", "refsource": "MISC", "url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104"}]}, "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:37:54.203Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104"}]}]}, "cveMetadata": {"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc", "assignerShortName": "Gallagher", "cveId": "CVE-2020-16104", "datePublished": "2020-12-14T19:23:30.000Z", "dateReserved": "2020-07-28T00:00:00.000Z", "dateUpdated": "2024-08-04T13:37:54.203Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEC327DD-614D-4F03-B77A-941EFE1269F3", "versionEndExcluding": "7.90.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AF24E0D-FEF8-4814-A689-50869362C70A", "versionEndExcluding": "8.00.1228", "versionStartIncluding": "8.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "55BB8603-0AAE-49A3-B127-374F24C498DE", "versionEndExcluding": "8.10.1211", "versionStartIncluding": "8.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE7DBECA-3C79-4346-AB66-B7538B230FE7", "versionEndExcluding": "8.20.1166", "versionStartIncluding": "8.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0DEE3F1-6EE3-4D31-BDF2-648F45C0EC20", "versionEndExcluding": "8.30.1236", "versionStartIncluding": "8.30", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:8.00.1228:-:*:*:*:*:*:*", "matchCriteriaId": "B5A79B43-E943-44E2-B13A-64F955518C8F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:8.00.1228:maintenance_release6:*:*:*:*:*:*", "matchCriteriaId": "8032E6B3-B5D4-4009-936B-35CA03CF0256", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:8.10.1211:-:*:*:*:*:*:*", "matchCriteriaId": "E672F2DB-6C4D-4549-977C-F4EDBCC461E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:8.10.1211:maintenance_release5:*:*:*:*:*:*", "matchCriteriaId": "4AE5C9DA-0A88-4A55-9395-7C2D357D9FF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:8.20.1166:-:*:*:*:*:*:*", "matchCriteriaId": "3DACA47B-78DA-4ED5-A15B-04556FA11865", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:8.20.1166:maintenance_release3:*:*:*:*:*:*", "matchCriteriaId": "38E86AF8-3460-4007-B5A2-0E4EA3F42974", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:8.30.1236:-:*:*:*:*:*:*", "matchCriteriaId": "34322F73-2AEF-4920-96DD-B138125A0660", "vulnerable": true}, {"criteria": "cpe:2.3:a:gallagher:command_centre:8.30.1236:maintenance_release1:*:*:*:*:*:*", "matchCriteriaId": "784CE63C-BE80-4111-9A56-6CD03CAE6E0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n SQL en Enterprise Data Interface de Gallagher Command Centre, permite a un atacante remoto con privilegio de \"Edit Enterprise Data Interfaces\" ejecutar un SQL arbitrario contra una base de datos de terceros si EDI est\u00e1 configurado para importar datos de esta base de datos.&#xa0;Este problema afecta a: Gallagher Command Center versiones 8.30 anteriores a 8.30.1236(MR1);&#xa0;versiones 8.20 anteriores a 8.20.1166(MR3);&#xa0;versiones 8.10 anteriores a 8.10.1211 (MR5);&#xa0;versiones 8.00 anteriores a 8.00.1228(MR6);&#xa0;versi\u00f3n 7.90 y versiones anteriores."}], "id": "CVE-2020-16104", "lastModified": "2024-11-21T05:06:47.130", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.3, "source": "disclosures@gallagher.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-14T20:15:12.247", "references": [{"source": "disclosures@gallagher.com", "tags": ["Vendor Advisory"], "url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.gallagher.com/Security-Advisories/CVE-2020-16104"}], "sourceIdentifier": "disclosures@gallagher.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosures@gallagher.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}