VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 28, 2022· Updated May 21, 2025

SQL-injection in Car Park Server 3.0 allows for full database access.

CVE-2022-28813

Description

In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 a remote, unauthenticated attacker could make use of an SQL-injection to gain access to a volatile temporary database with the current states of the device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated SQL injection in Carlo Gavazzi UWP 3.0 (all versions) and CPY Car Park Server 2.8.3 allows remote attackers to read volatile device state data.

Vulnerability

An SQL injection vulnerability exists in the Carlo Gavazzi UWP 3.0 controller (all versions) and the CPY Car Park Server (version 2.8.3) [1]. The flaw resides in an unspecified web interface endpoint that does not sanitize user-supplied input before incorporating it into SQL queries. No authentication or special configuration is required to reach the vulnerable code path; the endpoint is accessible to any network entity that can communicate with the device's embedded web server [1].

Exploitation

A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request containing SQL injection payloads to the affected web interface [1]. The attacker does not need prior network position beyond being able to reach the device over the network. No user interaction is required. The attack proceeds by injecting SQL commands that bypass the intended query logic, allowing the attacker to retrieve arbitrary data from the volatile temporary database that stores the current operational states of the device [1].

Impact

Successful exploitation allows the attacker to read the contents of the device's volatile temporary database, which contains current state information of the UWP 3.0 controller or CPY Car Park Server [1]. The impact is limited to information disclosure of operational state data; the description does not indicate that the attacker can modify the database or execute commands on the device. The attacker gains a low-privilege read access to real-time device state information but does not achieve full device compromise [1].

Mitigation

As of publication, Carlo Gavazzi has not released a patch for the affected products [1]. Users are advised to restrict network access to the web interface of the devices to trusted networks and to monitor vendor advisories for future updates. The devices are not known to be listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. No workaround is provided in the available references [1].

References
  1. Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Carlosgavazzi/UWP3.0llm-fuzzy
  • Carlosgavazzi/CPY Car Park Serverllm-fuzzy2 versions
    =2.8.3+ 1 more
    • (no CPE)range: =2.8.3
    • (no CPE)range: 2
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controllerv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – EDP versionv5
    Range: 8
  • Carlo Gavazzi/UWP 3.0 Monitoring Gateway and Controller – Security Enhancedv5
    Range: 8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.