CVE-2022-24690

Name of the Vulnerable Software and Affected Versions DSK DSKNet versions 2.16.136.0 through 2.17.136.5

Description An issue was discovered that allows unauthenticated users to taint database data and extract sensitive information via crafted HTTP requests. The type of SQL Injection is blind boolean based. An unauthenticated attacker can discover the endpoint by abusing a Broken Access Control issue with further SQL injection attacks to gather all user's badge numbers and PIN codes.

Recommendations For versions 2.16.136.0 through 2.17.136.5, consider disabling the PresAbs.php file until a patch is available to prevent SQL injection attacks. Restrict access to the endpoint to minimize the risk of exploitation. Avoid using crafted HTTP requests to the vulnerable endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.