Headline
CVE-2022-30025: Zero-Day Vulnerability Identified in Credence Analytics - iDEAL - Wealth and Funds - V1.0
SQL injection in “/Framewrk/Home.jsp” file (POST method) in tCredence Analytics iDEAL Wealth and Funds - 1.0 iallows authenticated remote attackers to inject payload via “v” parameter.
Zero-Day Vulnerability Identified in Credence Analytics - iDEAL - Wealth and Funds - V1.0
[description]
SQL injection in “/Framewrk/Home.jsp” file (POST method) in “tCredence” allows authenticated remote attackers to inject payload via “v” parameter.
------------------------------------------
[Vulnerability Type]
SQL Injection
------------------------------------------
[Vendor of Product]
Credence Analytics
------------------------------------------
[Affected Product Code Base]
iDEAL - Wealth and Funds - 1.0
------------------------------------------
[Affected Component]
*/Framewrk/Home.jsp
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
A remote authenticated session can be used to successfully execute the SQL Injection at the “/Framewrk/Home.jsp” file at the “v” parameter for complete data exfiltration.
------------------------------------------
[Reference]
https://www.credenceanalytics.com
------------------------------------------
[Discoverer]
Abhirup Guha
[CVE]
CVE-2022-30025