CVE-2024-8630

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 27, 2024 / Updated: 53d ago

010
CVSS 9.3EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Alisonic Sibylla devices are vulnerable to SQL injection attacks, which could allow complete access to the database. This vulnerability affects Alisonic Sibylla firmware versions.

Impact

The impact of this vulnerability is severe. It allows attackers to potentially access, modify, or delete sensitive information stored in the database of Alisonic Sibylla devices. The vulnerability poses high risks to data confidentiality, integrity, and availability. Attackers could execute unauthorized database operations, retrieve sensitive information, modify or delete critical data, or potentially gain elevated privileges within the system. Given that it's a network-based attack vector with low attack complexity and requires no user interaction or privileges, this vulnerability presents a significant threat to the security of affected systems. The CVSS v3.1 base score is 9.8 (Critical), and the CVSS v4.0 base score is 9.3 (Critical), indicating the highest level of severity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Information about the availability of a specific patch is not provided in the given vulnerability data.

Mitigation

While specific patch information is not available, recommended mitigation strategies for this SQL injection vulnerability include: 1. Implement proper input validation and sanitization for all user-supplied data. 2. Use parameterized queries or prepared statements instead of dynamic SQL. 3. Apply the principle of least privilege to database accounts used by the application. 4. Regularly update and patch the Alisonic Sibylla devices' firmware. 5. Implement web application firewalls (WAF) to help detect and block SQL injection attempts. 6. Conduct regular security audits and penetration testing to identify and address vulnerabilities. 7. Monitor database activity for suspicious queries or unauthorized access attempts. Given the critical severity of this vulnerability, it is strongly recommended to prioritize these mitigation efforts and apply them as soon as possible to all affected Alisonic Sibylla devices.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8630. See article

Sep 24, 2024 at 2:36 PM / Cybersecurity and Infrastructure Security Agency CISA
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 24, 2024 at 2:37 PM
CVE Assignment

NVD published the first details for CVE-2024-8630

Sep 27, 2024 at 5:15 PM
CVSS

A CVSS base score of 9.4 has been assigned.

Sep 27, 2024 at 5:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 28, 2024 at 9:21 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 16, 2024 at 1:21 PM / nvd
Static CVE Timeline Graph

Affected Systems

Alisonic/sibylla_firmware
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

Alisonic Sibylla
Alisonic Sibylla devices are vulnerable to SQL injection attacks, which could allow complete access to the database. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

News

Vulnerability Summary for the Week of September 23, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Dover Fueling Solutions (DFS)–ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-43693 ics-cert@hq.dhs.gov Dover Fueling Solutions (DFS)–ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-45066 ics-cert@hq.dhs.gov webdevmattcrom–GiveWP Donation Plugin and Fundraising Platform The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like ‘give_title’ and ‘card_address’. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2. 2024-09-28 10 CVE-2024-8353 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com Scriptcase–Scriptcase Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input. 2024-09-25 10 CVE-2024-8940 cve-coordination@incibe.es n/a–n/a File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
ATG: critical vulnerabilities on fuel stations
In addition to the ATC vulnerabilities, security flaws have also been discovered in the open-source solution OpenPLC, including a serious stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to gain access to remote code execution. Since not only ATGs are involved, the development comes as the Cybersecurity and Infrastructure Security Agency (CISA) of the United States has reported an increase in threats to Internet-accessible OT and ICS systems including those in the Water and Wastewater Systems (WWS) sector.
Vulnerability Summary for the Week of September 23, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Dover Fueling Solutions (DFS)--ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-43693 ics-cert@hq.dhs.gov Dover Fueling Solutions (DFS)--ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-45066 ics-cert@hq.dhs.gov webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2. 2024-09-28 10 CVE-2024-8353 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com Scriptcase--Scriptcase Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input. 2024-09-25 10 CVE-2024-8940 cve-coordination@incibe.es n/a--n/a File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
Critical Flaws In Tank Gauge Systems Expose Gas Stations To Remote Attacks
Security flaws have also been uncovered in the open-source OpenPLC solution, including a critical stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to achieve remote code execution. Also of note are several critical vulnerabilities in the AJCloud IP camera management platform that, if successfully exploited, could lead to the exposure of sensitive user data and provide attackers with full remote control of any camera connected to the smart home cloud service.
Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks
Security flaws have also been uncovered in the open-source OpenPLC solution, including a critical stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to achieve remote code execution. Also of note are several critical vulnerabilities in the AJCloud IP camera management platform that, if successfully exploited, could lead to the exposure of sensitive user data and provide attackers with full remote control of any camera connected to the smart home cloud service.
See 18 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI