CVE-2022-26348

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Command Centre Server is vulnerable to SQL Injection via Windows Registry settings for date fields on the server. The Windows Registry setting allows an attacker using the Visitor Management Kiosk, an application designed for public use, to invoke an arbitrary SQL query that has been preloaded into the registry of the Windows Server to obtain sensitive information. This issue affects: Gallagher Command Centre 8.60 versions prior to 8.60.1652; 8.50 versions prior to 8.50.2245; 8.40 versions prior to 8.40.2216; 8.30 versions prior to 8.30.1470; version 8.20 and prior versions.

Command Centre Server es vulnerable a una inyección SQL por medio de la configuración del Registro de Windows para los campos de fecha en el servidor. La configuración del Registro de Windows permite a un atacante usando el Kiosco de Administración de Visitantes, una aplicación diseñada para uso público, invocar una consulta SQL arbitraria que ha sido precargada en el registro del Servidor de Windows para obtener información confidencial. Este problema afecta a: Gallagher Command Centre versiones 8.60 anteriores a 8.60.1652; versiones 8.50 anteriores a 8.50.2245; versiones 8.40 anteriores a 8.40.2216; versiones 8.30 anteriores a 8.30.1470; versiones 8.20 y anteriores

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-03-04 CVE Reserved
2022-07-06 CVE Published
2024-01-27 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://security.gallagher.com/Security-Advisories/CVE-2022-26348	2022-07-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gallagher Search vendor "Gallagher"		Command Centre Search vendor "Gallagher" for product "Command Centre"				<= 8.20 Search vendor "Gallagher" for product "Command Centre" and version " <= 8.20"		-		Affected
Gallagher Search vendor "Gallagher"		Command Centre Search vendor "Gallagher" for product "Command Centre"				>= 8.30 < 8.30.1470 Search vendor "Gallagher" for product "Command Centre" and version " >= 8.30 < 8.30.1470"		-		Affected
Gallagher Search vendor "Gallagher"		Command Centre Search vendor "Gallagher" for product "Command Centre"				>= 8.40 < 8.40.2216 Search vendor "Gallagher" for product "Command Centre" and version " >= 8.40 < 8.40.2216"		-		Affected
Gallagher Search vendor "Gallagher"		Command Centre Search vendor "Gallagher" for product "Command Centre"				>= 8.50 < 8.50.2245 Search vendor "Gallagher" for product "Command Centre" and version " >= 8.50 < 8.50.2245"		-		Affected
Gallagher Search vendor "Gallagher"		Command Centre Search vendor "Gallagher" for product "Command Centre"				>= 8.60 < 8.60.1652 Search vendor "Gallagher" for product "Command Centre" and version " >= 8.60 < 8.60.1652"		-		Affected