This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It! 20.21.02.109. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetPopupSubQueryDetails endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-16690.
References
| Link | Resource |
|---|---|
| https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It-Version-2 | Patch Vendor Advisory |
| https://www.zerodayinitiative.com/advisories/ZDI-22-967/ | Third Party Advisory VDB Entry |
Configurations
Configuration 1 (hide)
|
History
09 Aug 2022, 16:20
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:bmc:track-it\!:20.21.02:*:*:*:*:*:*:* cpe:2.3:a:bmc:track-it\!:20.21.01:*:*:*:*:*:*:* cpe:2.3:a:bmc:track-it\!:20.20.01:*:*:*:*:*:*:* cpe:2.3:a:bmc:track-it\!:20.20.03:*:*:*:*:*:*:* cpe:2.3:a:bmc:track-it\!:20.20.02:*:*:*:*:*:*:* cpe:2.3:a:bmc:track-it\!:20.19.03:*:*:*:*:*:*:* |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| First Time |
Bmc
Bmc track-it\! |
|
| References | (MISC) https://community.bmc.com/s/article/Security-vulnerabilities-patched-in-Track-It-Version-2 - Patch, Vendor Advisory | |
| References | (MISC) https://www.zerodayinitiative.com/advisories/ZDI-22-967/ - Third Party Advisory, VDB Entry |
03 Aug 2022, 16:27
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-08-03 16:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-35864
Mitre link : CVE-2022-35864
CVE.ORG link : CVE-2022-35864
JSON object : View
Products Affected
bmc
- track-it\!
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')