CVE-2022-28862

In Archibus Web Central before 26.2, multiple SQL Injection vulnerabilities occur in dwr/call/plaincall/workflow.runWorkflowRule.dwr. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized (and unexpected) operations against the remote database. This is fixed in all recent versions, such as version 26.2.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
archibusweb_central
𝑥
< 26.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.gruppotim.it/it/footer/red-team.html
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html
https://www.gruppotim.it/it/footer/red-team.html
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html