CVE-2022-46501

Vulnerability

Accruent LLC Maintenance Connection versions 2021 (all) and 2022.2 contain a SQL injection vulnerability in the E-Mail to Work Order function [1]. The vulnerable code path is reachable when an email is processed to create or update work orders, and the input is not properly sanitized. All deployments of these versions are affected unless patched.

Exploitation

An attacker can exploit this vulnerability by sending a crafted email that is processed by the vulnerable E-Mail to Work Order function. The attacker needs only the ability to send an email to the system's configured email-to-work-order address; no authentication is required for the email itself, but the system must be configured to process such emails. The injection occurs during email parsing before database query execution. No user interaction is needed beyond the email being received and processed by the system.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the back-end database. This can lead to unauthorized reading or modification of sensitive data, including work orders, user credentials, and other operational information. The attacker can potentially escalate privileges or gain persistent access to the system, resulting in a compromise of confidentiality, integrity, and availability [2].

Mitigation

Accruent has provided a fix for all remaining systems and advises installing the 2023 upgrade that was made available in March 2024 [2]. Users of Maintenance Connection 2021 or 2022.2 should upgrade to the 2023 release or later to remediate this vulnerability. No workarounds have been publicly documented; the only recommended action is to apply the vendor-supplied patch.