PT-2022-27078 · Microsoft · Mssql
Steffen Robertz
·
Published
2022-12-25
·
Updated
2023-01-05
·
CVE-2022-44015
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Simmeth Lieferantenmanager versions prior to 5.6
Description
An issue was discovered that allows an attacker to inject raw SQL queries. By activating MSSQL features, the attacker can execute arbitrary commands on the MSSQL server via the
xp cmdshell extended procedure.Recommendations
For versions prior to 5.6, update to version 5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the MSSQL server and disabling the
xp cmdshell extended procedure until a patch is applied. Avoid activating MSSQL features that allow the execution of arbitrary commands on the MSSQL server until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mssql