PT-2022-17164 · Unknown · Network Olympus+1

Oscar Uribe

Published

2022-03-08

Updated

2022-03-16

CVE-2022-25225

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Network Olympus version 1.8.0

Description The issue allows an authenticated admin user to inject SQL queries in "/api/eventinstance" via the sqlparameter JSON parameter. It is also possible to achieve remote code execution in the default installation (PostgreSQL) by exploiting this issue.

Recommendations For Network Olympus version 1.8.0, consider disabling access to the "/api/eventinstance" endpoint until a patch is available, and restrict the use of the sqlparameter JSON parameter to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2022-25225

Affected Products

Network Olympus

Postgresql

PT-2022-17164 · Unknown · Network Olympus+1

CVE-2022-25225

Weakness Enumeration

Related Identifiers

Affected Products

References · 5