A critical SQL injection vulnerability exists in VIAVIWEB Wallpaper Admin products, identified as CVE-2022-50894. This flaw allows an authenticated attacker to manipulate database queries and steal sensitive information, such as user credentials and configuration data. Due to the high severity (CVSS 9.8), successful exploitation could lead to a complete compromise of the application's database, resulting in a significant data breach.

The vulnerability is an SQL injection flaw in the edit_gallery_image.php script. An authenticated attacker can exploit this by sending a specially crafted GET request where the img_id parameter contains malicious SQL code. Because the application fails to properly sanitize this user-supplied input, the malicious code is executed directly by the database, allowing the attacker to bypass security controls and exfiltrate sensitive data from the database.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant risk to the organization. A successful attack could result in a complete loss of data confidentiality and integrity within the application's database. Potential consequences include the theft of user credentials, personal information, and other sensitive data, leading to reputational damage, regulatory penalties, and financial loss. While the vulnerability requires authentication, a low-privileged user account is sufficient to launch a high-impact attack.

Immediate Action: The primary remediation is to apply the vendor-supplied security patches immediately. Upgrade all instances of VIAVIWEB Wallpaper Admin to the latest secure version to resolve the vulnerability.

Proactive Monitoring: System administrators should actively monitor web server and application logs for suspicious activity targeting edit_gallery_image.php. Look for GET requests with unusual or malformed img_id parameters containing SQL keywords (e.g., UNION, SELECT, --, ' OR '1'='1'). Monitor for anomalous database query patterns or unexpected outbound network traffic that could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block SQL injection attacks. Additionally, enforce the principle of least privilege for the application's database user account to limit the potential impact of a successful exploit.

Public Exploit Available: true

Given the critical severity (CVSS 9.8) and the high potential for data exfiltration, it is strongly recommended that organizations prioritize patching this vulnerability immediately. All affected VIAVIWEB Wallpaper Admin instances should be upgraded to the latest version without delay. In parallel, security teams should review access logs for any evidence of past exploitation attempts. If patching is delayed for any reason, the implementation of compensating controls, such as a WAF, is crucial to mitigate the immediate risk.