CVE-2022-44003

Vulnerability

BACKCLICK Professional 5.9.63 (On-Premises) is affected by SQL injection vulnerabilities at various locations. The application constructs SQL queries by inserting user-controlled parameters without proper escaping, allowing an attacker to inject arbitrary SQL syntax. This issue is documented in the SySS advisory SYSS-2022-029 [1].

Exploitation

An attacker with network access to the BACKCLICK web interface can exploit the vulnerability by sending crafted HTTP requests containing malicious SQL syntax in user-controlled parameters. The advisory notes that the vulnerability exists at multiple locations, indicating a systemic flaw in query construction [1]. No authentication is explicitly required for all instances, but some injection points may be accessible without prior login.

Impact

Successful exploitation enables an attacker to retrieve all data stored within the database, leading to complete information disclosure. Depending on database permissions, further compromise such as data modification or privilege escalation may be possible [1].

Mitigation

As of the public disclosure date (2022-11-14), no patch or workaround has been released by the manufacturer. The solution status remains unknown [1][2]. Organizations using BACKCLICK Professional 5.9.63 should apply general input validation and parameterized query practices, and monitor for vendor updates.