CVE-2022-41671

Name of the Vulnerable Software and Affected Versions EcoStruxure Operator Terminal Expert versions V3.3 Hotfix 1 or prior Pro-face BLUE versions V3.3 Hotfix 1 or prior

Description A SQL Injection vulnerability exists, allowing adversaries with local user privileges to craft a malicious SQL query and execute it as part of project migration, potentially resulting in the execution of malicious code. This issue is related to the improper neutralization of special elements used in SQL commands.

Recommendations For EcoStruxure Operator Terminal Expert versions V3.3 Hotfix 1 or prior, consider disabling project migration functionality until a patch is available. For Pro-face BLUE versions V3.3 Hotfix 1 or prior, restrict access to SQL query execution as a temporary workaround until a fix is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.