CVE-2022-24240

Vulnerability

ACEweb Online Portal version 3.5.065 is vulnerable to SQL injection in the showschedule.awp endpoint via the criteria parameter. The parameter is passed unsanitized into a database query, allowing an attacker to inject arbitrary SQL statements. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint with malicious SQL payloads in the criteria parameter. No authentication is required, and the attacker only needs network access to the web application. [1]

Impact

Successful exploitation can lead to unauthorized access to the underlying database, potentially exposing sensitive user data, modifying records, or achieving complete database compromise. The impact includes full information disclosure and possible data integrity loss depending on the database permissions. [1]

Mitigation

As of the publication date, no official patch or fixed version has been released by ACEweb. Users should consider applying generic web application firewall rules to filter SQL injection attempts or disable the affected endpoint if possible until a vendor update is provided.