CVE-2021-44835

Vulnerability

Active Intelligent Visualization 5 by AIVHUB LTD includes an SQL injection vulnerability in the processing of the Vdc HTTP header. The header value is directly concatenated into a SQL query without sanitization, as shown in the leaked query pattern FROM _ai_notification. All versions of Active Intelligent Visualization 5 are affected; no fix has been released by the vendor [1].

Exploitation

An attacker can send a crafted HTTP request with a malicious Vdc header value. The injection point is in the FROM clause of a SQL query that computes notification counts. By constructing a subquery that returns the expected columns (notification_type, readstatus, etc.), an attacker can create a valid query. The response header notificationCount reflects the value of readstatus: if the injected readstatus evaluates to true (1), the header shows 0;0;0;0; if false (0), it shows 1;0;0;0. This boolean oracle enables a blind SQL injection where the attacker can systematically ask true/false questions to extract arbitrary database content [1].

Impact

Successful exploitation allows an unauthenticated attacker to perform a blind SQL injection, leading to full disclosure of the underlying database contents. This can include sensitive user data, credentials, or configuration information. The attacker does not need prior authentication or user interaction [1].

Mitigation

No patch or fixed version has been provided by the vendor as of the publication date (2022-09-09). The vendor was contacted but no fix was released; the software may be end-of-life or unsupported. As there is no workaround disclosed, deploying a web application firewall (WAF) rule to sanitize the Vdc header or restricting access to the application is recommended [1].