CVE-2022-35864

Name of the Vulnerable Software and Affected Versions BMC Track-It! version 20.21.02.109

Description This issue allows remote attackers to disclose sensitive information on affected installations. Authentication is required to exploit this issue. The specific flaw exists within the "GetPopupSubQueryDetails" endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this issue to disclose stored credentials, leading to further compromise.

Recommendations For version 20.21.02.109, as a temporary workaround, consider restricting access to the "GetPopupSubQueryDetails" endpoint until a patch is available. Additionally, ensure proper validation of user-supplied strings to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this issue.