JVNDB-2019-000056

Panasonic Video Insight VMS vulnerable to SQL injection

Video Insight VMS provided by Panasonic Corporation is a video management suite for video security system. Vide Insight VMS contains a SQL injection vulnerability (CWE-89).

Panasonic Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Panasonic Corporation coordinated under the Information Security Early Warning Partnership.

Panasonic Corporation

• Video Insight VMS 7.6.1 and earlier

For more information, refer to the information provided by the developer.

[2020/06/25 Update]
When this advisory was first published on 2019 September 2, the affected version was described as 7.3.2.5. However, the developer found that the fix was not adequate in version 7.5, thus version 7.6.1 that contains the fix was released later.

A logged in user may execute an arbitrary SQL statement to the database.

[Update the software]
Update the software to the latest version according to the information provided by the developer.

[2020/06/25 Update]
When this advisory was first published on 2019 September 2, the affected version was described as 7.3.2.5. However, the developer found that the fix was not adequate in version 7.5, thus version 7.6.1 that contains the fix was released later.

Panasonic Corporation

• Panasonic : Release Notes - Video Insight IP Server 7.6.1 Maintenance Release
• Panasonic : Downloadvi - IP Server

1. SQL Injection(CWE-89) [IPA Evaluation]

1. CVE-2019-5996

1. JVN : JVN#93833849
2. National Vulnerability Database (NVD) : CVE-2019-5996

• [2019/09/02]
    Web page was published
• [2019/10/08]
    References : Content was added
• [2020/06/25]
    Affected Products were modified
    Solution was modified
    Vendor Information was modified