CVE-2022-31890

CRITICAL

Enhancesoft Audit Log < 2022-04-21 - SQL Injection

Title source: rule

Description

SQL Injection vulnerability in audit/class.audit.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae via the order parameter to the getOrder function.

Exploits (1)

nomisec WORKING POC

by reewardius · poc

https://github.com/reewardius/CVE-2022-31890

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-osticket-vulnerabilities/

[Patch] https://github.com/osTicket/osTicket-plugins/commit/0b59afbd2d4ccd0522552198a9aaf1ec05b5071e

Scores

CVSS v3 9.8

EPSS 0.1380

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

enhancesoft/audit_log < 2022-04-21

Published Apr 05, 2023

Tracked Since Feb 18, 2026