A vulnerability SonicWALL Aventail could allow an unauthenticated, remote attacker to conduct SQL injection attacks on a targeted system.
The vulnerability is due to insufficient validation of user-supplied input performed by the affected software when handling the CategoryID
parameter before using it in a SQL query. An attacker could exploit this vulnerability by sending a crafted URL designed to supply the CategoryID
parameter. A successful exploit could allow the attacker to compromise the application and access the back-end database, allowing the attacker to modify, add, or delete sensitive information. The attacker could exploit the vulnerability to conduct additional attacks.
Proof-of-concept code that exploits this vulnerability is publicly available.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
For additional information about SQL injection attacks and defenses, see Understanding SQL Injection
The vendor has not confirmed the vulnerability and software updates are not available.