Vulnerability Description
A SQL Injection vulnerability exists in UniverSIS UniverSIS-API through 1.2.1 via the $select parameter to multiple API endpoints. A remote authenticated attacker could send crafted SQL statements to a vulnerable endpoint (such as /api/students/me/messages/) to, for example, retrieve personal information or change grades.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Universis | Universis-Api | <= 1.2.1 |
Related Weaknesses (CWE)
References
- https://gitlab.com/universis/universis-api/-/commit/39e47d7f4654c83296b8de61b243PatchThird Party Advisory
- https://suumcuique.org/blog/posts/sql-injection-vulnerability-universis/ExploitPatchThird Party Advisory
- https://gitlab.com/universis/universis-api/-/commit/39e47d7f4654c83296b8de61b243PatchThird Party Advisory
- https://suumcuique.org/blog/posts/sql-injection-vulnerability-universis/ExploitPatchThird Party Advisory
FAQ
What is CVE-2022-29603?
CVE-2022-29603 is a vulnerability with a CVSS score of 8.1 (HIGH). A SQL Injection vulnerability exists in UniverSIS UniverSIS-API through 1.2.1 via the $select parameter to multiple API endpoints. A remote authenticated attacker could send crafted SQL statements to ...
How severe is CVE-2022-29603?
CVE-2022-29603 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-29603?
Check the references section above for vendor advisories and patch information. Affected products include: Universis Universis-Api.