CVE-2022-48587

Vulnerability

A SQL injection vulnerability exists in the "schedule editor" feature of ScienceLogic SL1 versions 11.1.2 and earlier. The application takes user-controlled input without proper sanitization and passes it directly to a SQL query, allowing arbitrary SQL injection [1].

Exploitation

An attacker with access to the schedule editor feature can exploit this vulnerability by providing crafted input in the affected fields. No additional privileges beyond those required to use the schedule editor are necessary, as the input is not sanitized before being used in a SQL query [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the database. This can lead to unauthorized access, data exfiltration, modification, or deletion, potentially compromising the entire database [1].

Mitigation

ScienceLogic recommends updating to the latest version of SL1. As of the public disclosure date (August 9, 2023), no specific patched version number has been announced, but upgrading to a version newer than 11.1.2 is advised. If an immediate update is not possible, restrict access to the schedule editor feature to trusted users [1].