CVE-2022-48603

Vulnerability

A SQL injection vulnerability exists in the "message viewer iframe" feature of ScienceLogic SL1 versions up to and including 11.1.2 [1]. The feature takes user-controlled input without sanitization and passes it directly into a SQL query, enabling arbitrary SQL injection before execution against the database [1].

Exploitation

An attacker can access the vulnerable iframe endpoint without authentication. By crafting a malicious SQL payload within the input parameter, the attacker can inject arbitrary SQL commands, which are then executed by the database backend [1]. No special privileges or network position beyond network access to the SL1 instance is required.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the ScienceLogic SL1 database. This can lead to unauthorized reading, modification, or deletion of sensitive data, including credentials, configuration, and monitoring information. The attacker gains full database-level access based on the permissions of the database user [1].

Mitigation

ScienceLogic has addressed this vulnerability in a newer release. Users must update to the latest version of ScienceLogic SL1 [1]. No workarounds are available in the referenced advisory. If an upgrade is not immediately possible, restrict network access to the SL1 interface as a compensating control.