Product Support

Vulnerability Report - ePortal Manager has an SQL injection vulnerability in the Management interface.

 
Unisys ID: UIS-2018-5
Status: Published
CVE-ID: CVE-2018-8802
Affected Product: CLEARPATHEPORTAL; EPORTAL-2200
Affected Version: ClearPath ePortal before 17.0a.31 or 059.1a.13; EPORTAL-2200 before 2.2.81 or 2.3.82.
Impact: HIGH
CVSS v3.1 Base Score: 7.2
CVSS v3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C  v3 Calculator
CVSS v2.0 Base Score:
CVSS v2.0 Vector: Not Supplied  v2 Calculator
CVSS Temporal Score: 6.7
Common Weakness Enumeration (CWE): 
Common Platform Enumeration (CPE): 
Source: Client Reported
Keyword(s): EPORTAL
Vulnerability Description:
Unisys ClearPath ePortal Manager software running on Unisys MCP or OS 2200 system may allow an SQL Injection attack which can execute malicious SQL statements on the ClearPath ePortal management database. With an SQL Injection attack, the ClearPath ePortal Manager database may be compromised resulting in non-functional ClearPath ePortal Manager software.
System Configuration:
ClearPath MCP system running 17.0 CLEARPATHEPORTAL software before CLEARPATHEPORTAL-017.0A.31 or 18.0 CLEARPATHEPORTAL software before CLEARPATHEPORTAL-059.1A.13. ClearPath OS 2200 system running 16.0 EPORTAL-2200 software before EPORTAL-2200-2.2.81 or 17.0 EPORTAL-2200 software before EPORTAL-2200-2.3.82.
Impact of Exploiting Vulnerability:
CLEARPATHEPORTAL or EPORTAL-2200 Manager database may be compromised resulting in non-functional Manager software.
Remediation Description:
For ClearPath MCP system running 17.0, upgrade to CLEARPATHEPORTAL Interim Correction CLEARPATHEPORTAL-017.0A.31 or higher. For ClearPath MCP system running 18.0, upgrade to CLEARPATHEPORTAL Interim Correction CLEARPATHEPORTAL-059.1A.13 or higher. For ClearPath OS 2200 system running 16.0, upgrade to EPORTAL-2200 Interim Correction EPORTAL-2200-2.2.81 or higher. For ClearPath OS 2200 system running 17.0, upgrade to EPORTAL-2200 Interim Correction EPORTAL-2200-2.3.82 or higher.
Workaround Information:
None.
References:
For ClearPath MCP system, PLE 19221849. For ClearPath OS 2200 system, PLE 19220869.
Additional Vendor Comment:
 
 
 

Disclaimer:

Unisys Corporation provides the information in this Security Vulnerability Report “AS IS.” No warranties of any nature are extended by or for the information. Unisys disclaims any financial or other responsibility that may result from your use of the information, including direct, indirect, special, or consequential damages.


Paper copies are not controlled and may be out of date; reference the Product Support Web site for current data.