Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

CVE-2022-44014

🗓️ 25 Dec 2022 05:10:15Reported by mitreType 
cve
 cve🔗 web.nvd.nist.gov👁 37 Views🌐 WEB

An API design flaw in Simmeth Lieferantenmanager before 5.6 allows unauthorized access to SQL tables, exposing sensitive user data

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Related
Detection
Refs
Paths
ReporterTitlePublishedViews
Family
NVD		CVE-2022-44014
25 Dec 202205:15
nvd
Cvelist		CVE-2022-44014
25 Dec 202200:00
cvelist
CNVD		Simmeth System Supplier Manager Design Error Vulnerability
21 Nov 202200:00
cnvd
RedhatCVE		CVE-2022-44014
23 May 202500:09
redhatcve
Vulnrichment		CVE-2022-44014
25 Dec 202200:00
vulnrichment
Prion		Design/Logic Flaw
25 Dec 202205:15
prion
0day.today		Simmeth System GmbH Supplier Manager LFI / SQL Injection / Bypass Vulnerabilities
16 Nov 202200:00
zdt
Packet Storm		Simmeth System GmbH Supplier Manager LFI / SQL Injection / Bypass
15 Nov 202200:00
packetstorm
Nvd
Node
simmethlieferantenmanagerRange<5.6
ParameterPositionPathDescriptionCWE
Credentialrequest body/DS/LM_API/api/SelectionService/GetPaggedTabA faulty API design allows an attacker to fetch arbitrary SQL tables, leaking user passwords and MSSQL hashes.CWE-284
TableFiltersrequest body/DS/LM_API/api/SelectionService/GetPaggedTabA faulty API design allows an attacker to fetch arbitrary SQL tables, leaking user passwords and MSSQL hashes.CWE-284
ImagesPathrequest body/DS/LM_API/api/ConfigurationService/GetImagesThe API can be abused to read arbitrary files from the file system due to allowing paths from the frontend.CWE-284
Mandantrequest body/DS/LM_API/api/ConfigurationService/GetConfigurationThe API call returns cleartext SMTP credentials, enabling an attacker to send phishing emails.CWE-284
Columnsrequest body/DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnIdAllows an attacker to store and execute JavaScript code in victims' browsers, leading to XSS.CWE-79

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
25 Dec 2022 05:15Current
6.9Medium risk
Vulners AI Score6.9
CVSS36.5
EPSS0.0011
SSVC
CWE-284
cve-2022-44014api design flawunauthorized accesssql tablessensitive data exposuresimmeth lieferantenmanager
37
.json
Report