Login Sign Up

CVE-2022-27434

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2022-27434 is a SQL injection vulnerability in UNIT4 TETA Mobile Edition that allows attackers to execute arbitrary SQL commands via the ProfileName parameter. This affects all TETA ME installations before version 29.5.HF17, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:
  • UNIT4 TETA Mobile Edition
Versions: All versions before 29.5.HF17
Operating Systems: Not OS-specific - affects the application itself
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the errorReporting page specifically through the ProfileName parameter.

📦 What is this software?

Teta by Unit4

View all CVEs affecting Teta →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data theft, data manipulation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information, and potential privilege escalation within the database.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH - The vulnerability is in a web interface parameter and can be exploited remotely.
🏢 Internal Only: HIGH - Even internal attackers could exploit this vulnerability to gain unauthorized database access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized and public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 29.5.HF17 and later

Vendor Advisory: https://teta.unit4.com/pl

Restart Required: Yes

Instructions:

1. Download the latest patch from UNIT4 TETA vendor portal. 2. Apply the patch following vendor instructions. 3. Restart the TETA Mobile Edition service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the ProfileName parameter

Not applicable - requires code changes

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns

Not applicable - WAF configuration required

🧯 If You Can't Patch

  • Restrict network access to the TETA ME interface using firewall rules
  • Implement database user privilege restrictions to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check if version is below 29.5.HF17 in TETA ME administration interface

Check Version:

Check TETA ME web interface or configuration files for version information

Verify Fix Applied:

Confirm version is 29.5.HF17 or higher and test the errorReporting page with SQL injection test payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests to errorReporting page with suspicious ProfileName values

Network Indicators:

  • HTTP POST requests to errorReporting page containing SQL keywords in parameters

SIEM Query:

source="web_server" AND uri="/errorReporting" AND (param="ProfileName" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2022-27434
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27434, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)