Lucene search

TMLCVELIST:CVE-2022-3059

HistoryOct 31, 2022 - 8:06 p.m.

CVE-2022-3059 SQL injection in Schoolbox version 21.0.2, by Schoolbox Pty Ltd

2022-10-3120:06:55

CWE-89

TML

www.cve.org

cve-2022-3059

sql injection

schoolbox pty ltd

stacked query support

inferential sql injection

database extraction

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.7%

JSON

The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Schoolbox",
    "vendor": "Schoolbox Pty Ltd",
    "versions": [
      {
        "status": "affected",
        "version": "21.0.2"
      }
    ]
  }
]

References

www.themissinglink.com.au/security-advisories/cve-2022-3059

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.7%

JSON

Related for CVELIST:CVE-2022-3059