Cyber Resilience

CVE-2022-34324

HighPublic PoC

Published: 01 January 2023

Published
01 January 2023
Modified
11 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 66.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-34324 is a high-severity SQL Injection (CWE-89) vulnerability in Sage Sage Xrt Business Exchange. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 34.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-34324 is a set of SQL injection flaws, tracked under CWE-89, that affect Sage XRT Business Exchange version 12.4.302. The issues reside in the Add Currencies, Payment Order, and Transfer History functions and permit an authenticated user to supply crafted input that is concatenated directly into SQL queries.

An attacker with a valid account can reach the affected application over the network and, with low attack complexity, execute arbitrary SQL commands. Successful exploitation yields full read/write access to the database and can result in complete compromise of confidentiality, integrity, and availability, consistent with the CVSS 8.8 rating.

The two reference URLs point to the same Synacktiv technical report that details the injection points; no vendor advisory or patch information is supplied in the available references.

EPSS for the vulnerability rose from a low baseline to a peak of 0.0610 on 2025-12-11 before receding to the current value of 0.0049, indicating a period of increased exploitation interest after the 2023 disclosure.

EU & UK References

Vulnerability details

Multiple SQL injections in Sage XRT Business Exchange 12.4.302 allow an authenticated attacker to inject malicious data in SQL queries: Add Currencies, Payment Order, and Transfer History.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sage
sage xrt business exchange
12.4.302

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References