CVE-2022-30025 in Analytics iDEAL Wealth and Fundsinfo

Summary

by MITRE • 05/25/2023

SQL injection in "/Framewrk/Home.jsp" file (POST method) in tCredence Analytics iDEAL Wealth and Funds - 1.0 iallows authenticated remote attackers to inject payload via "v" parameter.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/29/2026

The vulnerability identified as CVE-2022-30025 represents a critical sql injection flaw within the tCredence Analytics iDEAL Wealth and Funds platform version 1.0. This security weakness exists in the Home.jsp file which processes post method requests and specifically targets the "v" parameter for input validation. The vulnerability affects authenticated remote attackers who can leverage this weakness to execute malicious sql commands against the underlying database system. The affected component operates as part of a financial analytics platform that likely processes sensitive wealth management and fund data, making this vulnerability particularly concerning from a data protection perspective.

The technical implementation of this vulnerability stems from inadequate input sanitization within the web application's parameter handling mechanism. When the "v" parameter is submitted through the post method to the Home.jsp endpoint, the application fails to properly validate or escape the input before incorporating it into sql query construction. This allows attackers to inject malicious sql payloads that can manipulate the database directly. The vulnerability aligns with CWE-89 which specifically addresses sql injection flaws where untrusted data is incorporated into sql commands without proper sanitization. The attack vector requires authentication, which means that the vulnerability can be exploited by legitimate users with valid credentials, potentially leading to privilege escalation or data exfiltration.

The operational impact of this vulnerability extends beyond simple data manipulation to encompass potential complete database compromise. Attackers could extract sensitive financial information, modify user credentials, or even delete critical data within the wealth management system. Given that this platform handles financial analytics and fund data, the potential for financial fraud, regulatory compliance violations, and reputational damage is substantial. The vulnerability also creates opportunities for lateral movement within the network if database credentials are not properly isolated from application components. This weakness can be leveraged to establish persistent access or to pivot to other systems within the organization's infrastructure, representing a significant threat to overall security posture.

Mitigation strategies for this vulnerability should prioritize immediate patching of the affected application version and implementation of proper input validation controls. The recommended approach includes parameterized queries or prepared statements to prevent sql injection, along with comprehensive input sanitization and validation of all user-supplied data. Organizations should implement web application firewalls to detect and block suspicious sql injection patterns and establish network segmentation to limit access to database systems. Additionally, privilege separation should be enforced where database accounts used by the application have minimal required permissions to reduce potential impact. The vulnerability also highlights the importance of regular security assessments and code reviews to identify similar flaws in other components of the financial analytics platform. This issue should be prioritized in accordance with ATT&CK framework tactic TA0006 (credential access) and technique T1190 (exploitation of remote services) as it enables unauthorized access to sensitive financial data through authenticated exploitation.

Reservation

05/02/2022

Disclosure

05/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00840

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!