Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. It is also possible to achieve remote code execution in the default installation (PostgreSQL) by exploiting this issue.
References
| Link | Resource |
|---|---|
| https://fluidattacks.com/advisories/spinetta/ | Exploit Third Party Advisory |
| https://www.network-olympus.com/monitoring/ | Product Vendor Advisory |
| https://fluidattacks.com/advisories/spinetta/ | Exploit Third Party Advisory |
| https://www.network-olympus.com/monitoring/ | Product Vendor Advisory |
Configurations
History
21 Nov 2024, 06:51
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://fluidattacks.com/advisories/spinetta/ - Exploit, Third Party Advisory | |
| References | () https://www.network-olympus.com/monitoring/ - Product, Vendor Advisory |
16 Mar 2022, 03:40
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 7.2 |
| CPE | cpe:2.3:a:softinventive:network_olympus:1.8.0:*:*:*:*:*:*:* | |
| References | (MISC) https://www.network-olympus.com/monitoring/ - Product, Vendor Advisory | |
| References | (MISC) https://fluidattacks.com/advisories/spinetta/ - Exploit, Third Party Advisory | |
| CWE | CWE-89 |
10 Mar 2022, 17:53
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-03-10 17:47
Updated : 2024-11-21 06:51
NVD link : CVE-2022-25225
Mitre link : CVE-2022-25225
CVE.ORG link : CVE-2022-25225
JSON object : View
Products Affected
softinventive
- network_olympus
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')