Vulnerability Spotlight: Vulnerabilities in Lansweeper could lead to JavaScript, SQL injections

Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered multiple vulnerabilities in the Lansweeper IT asset management solution that could allow an attacker to inject JavaScript or SQL code on the targeted device. 

Lansweeper gathers the hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes. There are vulnerabilities in multiple .aspx files contained in Lansweeper that, if targeted correctly, could allow an adversary to inject malicious code.

TALOS-2022-1441 (CVE-2022-22149), TALOS-2022-1443 (CVE-2022-21234) and TALOS-2022-1444 (CVE-2022-21210) can all be triggered if the attacker sends the targeted device a specially crafted HTTP request. The HTTP request can trigger an error that eventually allows the attacker to inject SQL code. An adversary needs to be authenticated and have proper permissions to exploit these vulnerabilities. 

TALOS-2022-1442 (CVE-2022-21145) similarly occurs after a specially crafted HTTP request is sent to the targeted device. In this case, however, it opens the door to a cross-site scripting attack where the adversary can inject arbitrary JavaScript. 

Cisco Talos worked with Lansweeper to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy

Users are encouraged

Read More: http://blog.talosintelligence.com/2022/03/vuln-spotlight-.html