Track It
CVE-2022-35864
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It! 20.21.02.109. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetPopupSubQueryDetails endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16690.
AnalysisAI
This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It!. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It! 20.21.02.109. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetPopupSubQueryDetails endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16690. Affected products include: Bmc Track-It\!.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
BMC Track-It!. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public
BMC Track-It!. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Publ
SQL injection vulnerability in TrackItWeb/Grid/GetData in BMC Track-It!. Rated medium severity (CVSS 6.5), this vulnerab
BMC Track-It!. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Publ
This vulnerability allows remote attackers to execute arbitrary code on affected installations of BMC Track-It!. Rated c
This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Rated cr
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today