CVE-2022-26959 - OpenCVE

There are two full (read/write) Blind/Time-based SQL injection vulnerabilities in the Northstar Club Management version 6.3 application. The vulnerabilities exist in the userName parameter of the processlogin.jsp page in the /northstar/Portal/ directory and the userID parameter of the login.jsp page in the /northstar/iphone/ directory. Exploitation of the SQL injection vulnerabilities allows full access to the database which contains critical data for organization’s that make full use of the software suite.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Globalnorthstar	Northstar Club Management

Configuration 1 [-]

cpe:2.3:a:globalnorthstar:northstar_club_management:6.3:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://assura.atlassian.net/wiki/spaces/VULNS/pages/1842675717/CVE-2022-26959+Northstar+Club+Management+software+version+6.3+-+Full+Blind+Time-based+SQL+Injection
https://www.assurainc.com/services/advisory-services/threat-vuln-assessment/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-16T01:51:08

Updated: 2024-08-03T05:18:38.379Z

Reserved: 2022-03-12T00:00:00

Link: CVE-2022-26959

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-16T02:15:08.987

Modified: 2022-09-19T18:25:17.677

Link: CVE-2022-26959

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "There are two full (read/write) Blind/Time-based SQL injection vulnerabilities in the Northstar Club Management version 6.3 application. The vulnerabilities exist in the userName parameter of the processlogin.jsp page in the /northstar/Portal/ directory and the userID parameter of the login.jsp page in the /northstar/iphone/ directory. Exploitation of the SQL injection vulnerabilities allows full access to the database which contains critical data for organization\u2019s that make full use of the software suite."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-16T01:51:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.assurainc.com/services/advisory-services/threat-vuln-assessment/"}, {"tags": ["x_refsource_MISC"], "url": "https://assura.atlassian.net/wiki/spaces/VULNS/pages/1842675717/CVE-2022-26959+Northstar+Club+Management+software+version+6.3+-+Full+Blind+Time-based+SQL+Injection"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-26959", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There are two full (read/write) Blind/Time-based SQL injection vulnerabilities in the Northstar Club Management version 6.3 application. The vulnerabilities exist in the userName parameter of the processlogin.jsp page in the /northstar/Portal/ directory and the userID parameter of the login.jsp page in the /northstar/iphone/ directory. Exploitation of the SQL injection vulnerabilities allows full access to the database which contains critical data for organization\u2019s that make full use of the software suite."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.assurainc.com/services/advisory-services/threat-vuln-assessment/", "refsource": "MISC", "url": "https://www.assurainc.com/services/advisory-services/threat-vuln-assessment/"}, {"name": "https://assura.atlassian.net/wiki/spaces/VULNS/pages/1842675717/CVE-2022-26959+Northstar+Club+Management+software+version+6.3+-+Full+Blind+Time-based+SQL+Injection", "refsource": "MISC", "url": "https://assura.atlassian.net/wiki/spaces/VULNS/pages/1842675717/CVE-2022-26959+Northstar+Club+Management+software+version+6.3+-+Full+Blind+Time-based+SQL+Injection"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:18:38.379Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.assurainc.com/services/advisory-services/threat-vuln-assessment/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://assura.atlassian.net/wiki/spaces/VULNS/pages/1842675717/CVE-2022-26959+Northstar+Club+Management+software+version+6.3+-+Full+Blind+Time-based+SQL+Injection"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-26959", "datePublished": "2022-09-16T01:51:08", "dateReserved": "2022-03-12T00:00:00", "dateUpdated": "2024-08-03T05:18:38.379Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:globalnorthstar:northstar_club_management:6.3:*:*:*:*:*:*:*", "matchCriteriaId": "269E5527-3ED0-4BE8-B661-77B0058EFBD7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There are two full (read/write) Blind/Time-based SQL injection vulnerabilities in the Northstar Club Management version 6.3 application. The vulnerabilities exist in the userName parameter of the processlogin.jsp page in the /northstar/Portal/ directory and the userID parameter of the login.jsp page in the /northstar/iphone/ directory. Exploitation of the SQL injection vulnerabilities allows full access to the database which contains critical data for organization\u2019s that make full use of the software suite."}, {"lang": "es", "value": "Se presentan dos vulnerabilidades de inyecci\u00f3n SQL completas (lectura/escritura) basadas en el tiempo en la aplicaci\u00f3n Northstar Club Management versi\u00f3n 6.3. Las vulnerabilidades se presentan en el par\u00e1metro userName de la p\u00e1gina processlogin.jsp en el directorio /northstar/Portal/ y en el par\u00e1metro userID de la p\u00e1gina login.jsp en el directorio /northstar/iphone/. La explotaci\u00f3n de las vulnerabilidades de inyecci\u00f3n SQL permite el acceso completo a la base de datos que contiene datos cr\u00edticos para las organizaciones que hacen uso completo de la suite de software"}], "id": "CVE-2022-26959", "lastModified": "2022-09-19T18:25:17.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2022-09-16T02:15:08.987", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://assura.atlassian.net/wiki/spaces/VULNS/pages/1842675717/CVE-2022-26959+Northstar+Club+Management+software+version+6.3+-+Full+Blind+Time-based+SQL+Injection"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://www.assurainc.com/services/advisory-services/threat-vuln-assessment/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}