CVE-2023-22275: 
Adobe RoboHelp Server vulnerability analysis and mitigation

Adobe RoboHelp Server versions 11.4 and earlier are affected by an SQL Injection vulnerability (CVE-2023-22275) that was discovered and disclosed in November 2023. The vulnerability specifically exists within the GetNewUserId method and could lead to information disclosure when exploited by an unauthenticated attacker. This security flaw does not require any user interaction for exploitation (NVD, ZDI).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command (CWE-89). It has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The specific flaw exists within the GetNewUserId method, where there is inadequate validation of user-supplied strings before they are used in SQL query construction (ZDI).

When successfully exploited, this vulnerability allows attackers to disclose sensitive information in the context of the application database. The high CVSS score reflects the significant potential for information disclosure, though the vulnerability does not affect system integrity or availability (ZDI).

Adobe has released a security update to address this vulnerability. Users are advised to update their RoboHelp Server installations to the latest version that includes the security fix (ZDI).