CVE-2022-48600: 
ScienceLogic SL1 Agent vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in the 'notes view' feature of ScienceLogic SL1 versions 11.1.2 and earlier. The vulnerability, identified as CVE-2022-48600, was disclosed on August 9, 2023. The issue stems from unsanitized user-controlled input being passed directly to SQL queries (Securifera Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires network access and low privileges to exploit, requires no user interaction, and can result in high impacts to confidentiality, integrity, and availability (Securifera Advisory).

The SQL injection vulnerability allows attackers to inject arbitrary SQL commands that are executed against the database. This could potentially lead to unauthorized access to sensitive data, manipulation of database contents, and compromise of the system's integrity (Securifera Advisory).

Users are advised to update to the latest version of ScienceLogic SL1 that addresses this vulnerability (Securifera Advisory).

The disclosure process involved some controversy, as the vendor initially refused CVE issuance and disclosure, with their legal team advising against disclosing to MITRE. The vulnerability was eventually publicly disclosed on August 9, 2023, after the researcher notified the vendor of intent to issue CVEs and disclose vulnerabilities (Securifera Advisory).