Lucene search

[email protected]CVE-2022-44014

HistoryDec 25, 2022 - 5:15 a.m.

CVE-2022-44014

2022-12-2505:15:10

[email protected]

web.nvd.nist.gov

cve-2022-44014

api design flaw

unauthorized access

sql tables

sensitive data exposure

simmeth lieferantenmanager

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.8%

JSON

An issue was discovered in Simmeth Lieferantenmanager before 5.6. In the design of the API, a user is inherently able to fetch arbitrary SQL tables. This leaks all user passwords and MSSQL hashes via /DS/LM_API/api/SelectionService/GetPaggedTab.

Affected configurations

NVD

Node

simmethlieferantenmanagerRange<5.6

CPENameOperatorVersion
simmeth:lieferantenmanagersimmeth lieferantenmanagerlt5.6

CPE	Name	Operator	Version
simmeth:lieferantenmanager	simmeth lieferantenmanager	lt	5.6

References

sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-simmeth-system-gmbh-lieferantenmanager/

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.8%

JSON

Related for CVE-2022-44014

nvd1 prion1 cnvd1 cvelist1 zdt1 packetstorm1