CVE-2022-48598: 
ScienceLogic SL1 Agent vulnerability analysis and mitigation

A SQL injection vulnerability was identified in ScienceLogic SL1's "reporter events type date" feature. The vulnerability, tracked as CVE-2022-48598, affects versions 11.1.2 and earlier of the product. The issue stems from unsanitized user-controlled input being passed directly to SQL queries (Securifera).

The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, requires no user interaction, and can result in high impacts to confidentiality, integrity, and availability (Securifera).

The SQL injection vulnerability allows attackers to inject arbitrary SQL commands that are executed against the database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, and potential system compromise (Securifera).

Users are advised to update to the latest version of ScienceLogic SL1 that contains fixes for this vulnerability (Securifera).

The disclosure timeline reveals some tension in the vulnerability reporting process. The vendor initially hired a law firm to manage disclosure and advised against CVE issuance. The vulnerability was finally disclosed publicly on August 9, 2023, almost a year after initial notification (Securifera).