SQL Injection and Remote Code Execution in Network Olympus v1.8.0

SQL Injection and Remote Code Execution in Network Olympus v1.8.0

CVE-2022-25225 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Network Olympus version 1.8.0 allows an authenticated admin user to inject SQL queries in '/api/eventinstance' via the 'sqlparameter' JSON parameter. It is also possible to achieve remote code execution in the default installation (PostgreSQL) by exploiting this issue.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.