Headline
CVE-2022-38615: SQL Injection in Service Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38615)
SmartVista SVFE2 v2.2.22 was discovered to contain multiple SQL injection vulnerabilities via the UserForm:j_id88, UserForm:j_id90, and UserForm:j_id92 parameters at /SVFE2/pages/feegroups/service_group.jsf.
An attacker requires an account on the SmartVista SVFE2. Attacker can use a quote character to break query string and inject sql payload to “UserForm:j_id92” parameter (Description), don’t use a quote character and inject sql payload to "UserForm:j_id88", “UserForm:j_id90” parameters (Group ID, Service ID), in /SVFE2/pages/feegroups/service_group.jsf. Response data could help an attacker identify whether an injected SQL query is correct or not.