CVE-2022-48600

Vulnerability

A SQL injection vulnerability exists in the 'notes view' feature of ScienceLogic SL1 (versions <= 11.1.2). The feature takes unsanitized user-controlled input and passes it directly to a SQL query, allowing arbitrary SQL to be injected before execution against the database [1].

Exploitation

An attacker with network access to the ScienceLogic SL1 instance can supply malicious SQL crafted input to the vulnerable 'notes view' parameter. No authentication or special privileges are explicitly required; the unsanitized input is directly concatenated into a SQL query, enabling straightforward injection without additional user interaction [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized reading or modification of sensitive data, privilege escalation, or potential compromise of the entire SL1 application and its data [1].

Mitigation

ScienceLogic SL1 versions <= 11.1.2 are affected. Update to the latest version of ScienceLogic SL1, as recommended by the vendor [1]. No workarounds are documented in the available references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.