CVE-2021-44874
HIGHDalmark Systems Systeam 2.22.8 build 1724 - Authenticated SQL Injection via BI Report Endpoint
Title source: llmDescription
Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Insecure design on report build via SQL query. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. The bi report module exposes direct SQL commands via POST data in order to select data for report generation. A malicious actor can use the bi report endpoint as a direct SQL prompt under the authenticated user.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://www.systeam.com.br/cve/insecure%20design%20-%20sql%20manipulation-en.txt
Scores
CVSS v3
8.8
EPSS
0.0104
EPSS Percentile
60.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
dalmark/systeam_enterprise_resource_planning
2.22.8 build_1724
Published
Dec 21, 2021
Tracked Since
Feb 18, 2026