CVE-2018-15868
Description
SQL injection vulnerability in ChronoScan version 1.5.4.3 and earlier allows an unauthenticated attacker to execute arbitrary SQL commands via the wcr_machineid cookie.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in ChronoScan ≤1.5.4.3 via wcr_machineid cookie allows arbitrary SQL execution.
Vulnerability
ChronoScan version 1.5.4.3 and earlier [1] contains a SQL injection vulnerability in the handling of the wcr_machineid cookie. An unauthenticated attacker can inject arbitrary SQL commands through this cookie parameter without requiring any prior authentication or special configuration.
Exploitation
The attacker sends a crafted HTTP request to a ChronoScan instance with a malicious wcr_machineid cookie value containing SQL syntax. No authentication or user interaction is required; the vulnerability is reachable over the network by any unauthenticated client.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized reading, modification, or deletion of data, including potentially sensitive information stored by the application.
Mitigation
As of the publication date (2019-06-21), no patched version has been disclosed in the available references [1]. Users should monitor the vendor's site for updates or consider restricting network access to ChronoScan instances until a fix is applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ChronoScan/ChronoScandescription
- Range: <=1.5.4.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.chronoscan.orgmitrex_refsource_MISC
- redsec.io/chronoscan-enterprise-unauthenticated-sql-injectionmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.