Login Sign Up

CVE-2022-46501

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Accruent Maintenance Connection allows attackers to execute arbitrary SQL commands through the E-Mail to Work Order function. It affects all versions of Maintenance Connection 2021 and version 2022.2, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:
  • Accruent Maintenance Connection
Versions: 2021 (all versions), 2022.2
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the E-Mail to Work Order function which is likely enabled by default.

📦 What is this software?

Maintenance Connection by Accruent

View all CVEs affecting Maintenance Connection →

Maintenance Connection by Accruent

View all CVEs affecting Maintenance Connection →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, data modification, and potential extraction of sensitive information from the database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity, but specific exploit details are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022.3 or later

Vendor Advisory: http://accruent.com

Restart Required: Yes

Instructions:

1. Backup database and application. 2. Download and install Maintenance Connection 2022.3 or later from Accruent. 3. Restart application services. 4. Verify functionality.

🔧 Temporary Workarounds

Disable E-Mail to Work Order Function

all

Temporarily disable the vulnerable feature until patching can be completed.

Implement WAF Rules

all

Configure web application firewall to block SQL injection patterns targeting the vulnerable endpoint.

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries for all database interactions
  • Apply network segmentation to isolate the Maintenance Connection server from critical systems

🔍 How to Verify

Check if Vulnerable:

Check Maintenance Connection version in application settings or about dialog. If version is 2021.x or 2022.2, system is vulnerable.

Check Version:

Check application version in Maintenance Connection admin interface or about dialog.

Verify Fix Applied:

Verify version is 2022.3 or later and test E-Mail to Work Order function with SQL injection test payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL query patterns in database logs
  • Multiple failed login attempts via email function
  • Unexpected database schema changes

Network Indicators:

  • Unusual database connection patterns from application server
  • Large data transfers from database server

SIEM Query:

source="database_logs" AND ("UNION SELECT" OR "OR 1=1" OR "--" OR ";--")

📊 Metadata

CVE ID: CVE-2022-46501
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 2, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-46501, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)