CVE-2022-38616 The SmartVista SVFE2 v2.2.22 had a SQL injection vulnerability in the UserForm:j_id90 parameter.

A successful exploitation could lead to access to critical program functions and possibly system takeover. In addition to the SQL injection issue discovered, SmartVista SVFE2 v2.2.22 also suffers from a number of other vulnerabilities, such as XSS and CSRF. Therefore, the complete security assessment of this product is out of scope of this advisory. It is strongly recommended that you upgrade to the latest version of this software, as soon as possible. Alternatively, you can apply the advised mitigations to protect against this threat. Further information about this and other vulnerabilities can be found in our security advisory.

SQL Injection

SQL injection is a type of injection attack that uses SQL commands to manipulate application data. It is the most widely used and one of the oldest types of Web-based attacks. Techniques for SQL injection have been documented since the mid-1990s and are commonly used by malicious web sites as part of their offensive arsenal.

Vulnerability overview

SmartVista SVFE2 v2.2.22 suffers from a number of vulnerabilities that can lead to a complete system takeover and compromise of critical program functions. These vulnerabilities include SQL injection, XSS, CSRF, and more.

Timeline

Published on: 09/13/2022 12:15:00 UTC
Last modified on: 09/15/2022 20:50:00 UTC

References