CVE-2024-9574

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 7, 2024 / Updated: 43d ago

010
CVSS 6.5EPSS 0.04%Medium
CVE info copied to clipboard

Summary

SQL injection vulnerability in SOPlanning versions prior to 1.45, specifically in the /soplanning/www/user_groupes.php file via the 'by' parameter. This vulnerability allows a remote user to submit a specially crafted query, potentially retrieving all information stored in the database.

Impact

The impact of this vulnerability is severe. An attacker could potentially: 1. Retrieve sensitive information: Access and exfiltrate all data stored in the database, which may include user credentials, personal information, and other confidential data. 2. Modify database contents: The attacker might be able to alter, add, or delete data in the database, compromising the integrity of the system. 3. Escalate privileges: Depending on the database configuration, the attacker might be able to execute administrative operations or gain elevated access to the system. 4. Compromise system availability: By manipulating or corrupting critical data, the attacker could potentially disrupt normal operations or cause system instability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability is fixed in SOPlanning version 1.45 and later. Users should upgrade to version 1.45 or the latest available version to mitigate this vulnerability.

Mitigation

1. Upgrade SOPlanning: Immediately update to version 1.45 or later. 2. Input Validation: Implement strict input validation for all user inputs, especially the 'by' parameter in user_groupes.php. 3. Parameterized Queries: Use parameterized queries or prepared statements instead of dynamic SQL to prevent SQL injection. 4. Least Privilege: Ensure that the database user used by the application has minimal necessary privileges. 5. Web Application Firewall (WAF): Consider implementing a WAF to help detect and block SQL injection attempts. 6. Regular Security Audits: Conduct regular code reviews and security audits to identify and address potential vulnerabilities. 7. Network Segmentation: Isolate the database server from direct external access where possible. 8. Monitor for Suspicious Activity: Implement logging and monitoring to detect potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9574. See article

Oct 7, 2024 at 2:55 PM / INCIBE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 7, 2024 at 3:02 PM
CVE Assignment

NVD published the first details for CVE-2024-9574

Oct 7, 2024 at 3:15 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 7, 2024 at 3:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 8, 2024 at 9:58 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 8, 2024 at 6:50 PM / nvd
Static CVE Timeline Graph

Affected Systems

Soplanning/soplanning
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI