SQL Injection Vulnerability in ITSM component of Hornbill Supportworks


    CVE number: CVE-2013-2594

    Impact: High

    Vendor homepage:

    Vendor notified: 19/11/2012

    Vendor response: This issue has reportedly been fixed but the vendor
refused to give version details.

    Credit: Joseph Sheridan of ReactionIS


Affected Products


Supportworks ITSM versions 1.0.0 and possibly other versions




There is a SQL injection vulnerability in the ITSM component of the
Supportworks Application. The vulnerable file is calldiary.php found in the
/reports folder of the webroot. The following URL demonstrates the issue: 


This attack can be used to take full control of the host by writing a php
webshell document (using mysql 'into outfile') to the webroot.





An attacker may be able to take full control of the Supportworks server and
execute arbitrary operating-system commands.




Upgrade to the latest available ITSM version - contact Vendor for more
Rate this post
Брой прочитания на тази страница: 880
Hornbill Supportworks ITSM 1.0.0 – SQL Injection Vulnerability
Tagged on:

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *