CVE-2022-34324
Published: 01 January 2023
Summary
CVE-2022-34324 is a high-severity SQL Injection (CWE-89) vulnerability in Sage Sage Xrt Business Exchange. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 34.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-34324 is a set of SQL injection flaws, tracked under CWE-89, that affect Sage XRT Business Exchange version 12.4.302. The issues reside in the Add Currencies, Payment Order, and Transfer History functions and permit an authenticated user to supply crafted input that is concatenated directly into SQL queries.
An attacker with a valid account can reach the affected application over the network and, with low attack complexity, execute arbitrary SQL commands. Successful exploitation yields full read/write access to the database and can result in complete compromise of confidentiality, integrity, and availability, consistent with the CVSS 8.8 rating.
The two reference URLs point to the same Synacktiv technical report that details the injection points; no vendor advisory or patch information is supplied in the available references.
EPSS for the vulnerability rose from a low baseline to a peak of 0.0610 on 2025-12-11 before receding to the current value of 0.0049, indicating a period of increased exploitation interest after the 2023 disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-37279
Vulnerability details
Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.