CVE-2022-27434: GitHub - LongWayHomie/CVE-2022-27434: UNIT4 TETA Mobile Edition 29HF13 was discovered to contain a SQL injection vulnerability via the ProfileName parameter in the errorReporting page.

CVE-2022-27434

UNIT4 TETA Mobile Edition 29HF13 was discovered to contain a SQL injection vulnerability via the ProfileName parameter in the errorReporting page.

The vulnerability exist in the error page generated by the application (in this case: while changing password). Adding quotation mark to the ProfileName parameter will generate Oracle database error, meaning that the input is not being sanitized.

Request

Response

Remediation

The vulnerability already has been reported to the UNIT4 via their service portal. The patch is already available to download (29.5.HF17).