CVE-2022-25506

An attacker must first obtain a valid API key, which can be leaked through an XSS vulnerability on an End User Device or obtained as part of a UAV Operator's broadcast capabilities [ref_id=1]. With a valid Bearer token, the attacker sends a crafted HTTP GET request to `/AuthenticateUser` with a malicious `username` parameter containing a SQL injection payload (e.g., a UNION SELECT statement). The injected query extracts the `name` and `password` columns from the `SystemUser` table, returning all usernames and their cleartext passwords in the HTTP response [CWE-89][ref_id=1].

The vulnerability exists in the API endpoint `/AuthenticateUser` of FreeTAKServer-UI v1.9.8. The endpoint constructs SQL queries against an SQLite3 database without neutralizing user-supplied input from the `username` parameter, allowing an attacker to inject arbitrary SQL commands [ref_id=1].

The advisory does not include a patch or remediation guidance beyond the disclosure of the vulnerability [ref_id=1]. No fix commit or updated version is referenced in the available bundle. To close the vulnerability, the application should parameterize SQL queries or properly escape/sanitize the `username` input before it is used in database operations, preventing injected SQL from being interpreted as commands [CWE-89].

1. Obtain a valid API key for the target FreeTAKServer-UI instance (e.g., via XSS or UAV Operator broadcast). 2. Send a crafted GET request to `http://