Skip to main content

Command Centre CVE-2022-26348

MEDIUM
SQL Injection (CWE-89)
2022-07-06 disclosures@gallagher.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 06, 2022 - 17:15 nvd
MEDIUM 5.5

DescriptionNVD

Command Centre Server is vulnerable to SQL Injection via Windows Registry settings for date fields on the server. The Windows Registry setting allows an attacker using the Visitor Management Kiosk, an application designed for public use, to invoke an arbitrary SQL query that has been preloaded into the registry of the Windows Server to obtain sensitive information. This issue affects: Gallagher Command Centre 8.60 versions prior to 8.60.1652; 8.50 versions prior to 8.50.2245; 8.40 versions prior to 8.40.2216; 8.30 versions prior to 8.30.1470; version 8.20 and prior versions.

AnalysisAI

Command Centre Server is vulnerable to SQL Injection via Windows Registry settings for date fields on the server. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Command Centre Server is vulnerable to SQL Injection via Windows Registry settings for date fields on the server. The Windows Registry setting allows an attacker using the Visitor Management Kiosk, an application designed for public use, to invoke an arbitrary SQL query that has been preloaded into the registry of the Windows Server to obtain sensitive information. This issue affects: Gallagher Command Centre 8.60 versions prior to 8.60.1652; 8.50 versions prior to 8.50.2245; 8.40 versions prior to 8.40.2216; 8.30 versions prior to 8.30.1470; version 8.20 and prior versions. Affected products include: Gallagher Command Centre. Version information: prior to 8.60.1652.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2020-16098 CRITICAL
9.8 Sep 15

It is possible to enumerate access card credentials via an unauthenticated network connection to the server in versions

CVE-2019-15294 CRITICAL
9.8 Aug 28

An issue was discovered in Gallagher Command Centre 8.10 before 8.10.1092(MR2). Rated critical severity (CVSS 9.8), this

CVE-2021-23140 HIGH
8.8 Jun 11

Improper Authorization vulnerability in Gallagher Command Centre Server allows command line macros to be modified by an

CVE-2020-16103 HIGH
8.8 Dec 14

Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote

CVE-2020-16102 HIGH
8.2 Dec 14

Improper Authentication vulnerability in Gallagher Command Centre Server allows an unauthenticated remote attacker to cr

CVE-2023-23570 HIGH
8.1 Dec 18

Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid conf

CVE-2021-23205 HIGH
8.1 Jun 11

Improper Encoding or Escaping in Gallagher Command Centre Server allows a Command Centre Operator to alter the configura

CVE-2021-23197 HIGH
7.8 Nov 18

Unquoted service path vulnerability in the Gallagher Controller Service allows an unprivileged user to execute arbitrary

CVE-2020-16096 HIGH
7.7 Sep 15

In Gallagher Command Centre versions 8.10 prior to 8.10.1134(MR4), 8.00 prior to 8.00.1161(MR5), 7.90 prior to 7.90.991(

CVE-2023-22363 HIGH
7.5 Jul 25

A stack-based buffer overflow in the Command Centre Server allows an attacker to cause a denial of service attack via as

CVE-2021-23146 HIGH
7.5 Nov 18

An Incomplete Comparison with Missing Factors vulnerability in the Gallagher Controller allows an attacker to bypass PIV

CVE-2020-16101 HIGH
7.5 Sep 15

It is possible for an unauthenticated remote DCOM websocket connection to crash the Command Centre service due to an out

Share

CVE-2022-26348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy