Abstract Advisory Information


EMS SQL Manager 3.6.2 (build 55333) for Oracle allows DLL hijacking: a user can trigger the execution of arbitrary code every time the product is executed.

Author: Dominique Righetto

Version affected


Name: SQL Manager for Oracle

Versions: 3.6.2 (build 55333)

Common Vulnerability Scoring System


3.1

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

Patches


No patch available.

References


  • https://www.sqlmanager.net/

Vulnerability Disclosure Timeline


  • 03/11/2023 : Vulnerability discovery
  • 13/11/2023 : Vulnerability Report to CERT-XLM
  • 14/11/2023 : Vulnerability Report to Vendor through https://www.sqlmanager.net/ ticketing system.
  • 17/11/2023: Acknowledge from vendor. Vulnerabilities will be fixed in next patch
  • 28/11/2023: Updated asked to vendor
  • 13/12/2023: Issue addressed to the vendor, no release date for the fix yet
  • 19/12/2023: Issue addressed to the vendor, no release date for the fix yet + CVE ID asked
  • 22/12/2023: CVE ID assigned use CVE-2023-51710
  • 05/01/2024: Issue addressed to the vendor, no release date for the fix yet
  • 17/01/2024: Issue addressed to the vendor, no release date for the fix yet
  • 23/01/2024: Issue addressed to the vendor, no release date for the fix yet
  • 13/02/2024: Issue addressed to the vendor, no release date for the fix yet
  • 12/03/2024: Issue addressed to the vendor, no release date for the fix yet
  • 09/04/2024: Issue addressed to the vendor, no release date for the fix yet
  • 12/04/2024: Planned public disclosure
  • 18/04/2024: Expected Vulnerability Disclosure