CVE-2022-45889 in eStream
Summary
by MITRE • 12/25/2022
Planet eStream before 6.72.10.07 allows a remote attacker (who is a publisher or admin) to obtain access to all records stored in the database, and achieve the ability to execute arbitrary SQL commands, via Search (the StatisticsResults.aspx flt parameter).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/14/2025
This vulnerability exists in Planet eStream versions prior to 6.72.10.07 and represents a critical security flaw that allows authenticated attackers with publisher or administrator privileges to gain unauthorized access to all database records and execute arbitrary SQL commands. The vulnerability specifically manifests through the Search functionality, where the StatisticsResults.aspx page processes the flt parameter without proper input validation or sanitization, creating a path for SQL injection attacks that can be exploited by malicious actors with limited privileges.
The technical flaw stems from inadequate parameter handling within the web application's search mechanism, where user-supplied input from the flt parameter is directly incorporated into SQL query construction without proper escaping or parameterization. This classic SQL injection vulnerability allows an attacker to manipulate the underlying database queries and extract sensitive information from all records stored within the system. The vulnerability's exploitation requires only publisher or administrator level access, which significantly reduces the attack surface and makes it particularly dangerous as it can be leveraged by insiders or compromised accounts with elevated privileges.
The operational impact of this vulnerability is severe and multifaceted, as it enables complete database compromise and potential system takeover. An attacker can extract all stored records including user credentials, personal information, system configurations, and other sensitive data that may be stored in the database. The ability to execute arbitrary SQL commands further amplifies the threat, as it allows for data modification, deletion, or even database schema manipulation. This vulnerability essentially provides a backdoor to the entire database infrastructure, making it a prime target for data exfiltration, lateral movement, and persistent access within the affected environment.
Organizations using Planet eStream should immediately apply the vendor-provided patch to version 6.72.10.07 or later to remediate this vulnerability. The fix should include proper input validation and parameterization of all database queries, implementing proper escaping mechanisms for user-supplied parameters. Additionally, organizations should conduct thorough security assessments of their database systems, review access controls to ensure least privilege principles are enforced, and implement database activity monitoring to detect potential exploitation attempts. This vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws, and represents a clear violation of the principle of least privilege as defined in the NIST Cybersecurity Framework. The ATT&CK framework categorizes this as a SQL injection technique, potentially leading to data access and execution capabilities that could be used for further system compromise and persistence within the network environment.