CVE-2024-9925

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

SQL injection vulnerability in TAI Smart Factory's QPLANT SF version 1.0. The vulnerability is located in the 'email' parameter on the 'RequestPasswordChange' endpoint.

Impact

Exploitation of this vulnerability could allow a remote attacker to retrieve all database information. This could lead to unauthorized access to sensitive data, potential modification of database contents, and possible disruption of service availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

No information about a patch is provided in the given vulnerability data.

Mitigation

While no specific mitigation is provided, general SQL injection mitigation strategies should be applied. These may include input validation, parameterized queries, and least privilege principles. The security team should prioritize updating TAI Smart Factory's QPLANT SF to a version newer than 1.0 if available, or work with the vendor to obtain a security patch.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9925. See article

Oct 15, 2024 at 8:50 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 8:50 AM
CVE Assignment

NVD published the first details for CVE-2024-9925

Oct 15, 2024 at 9:15 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 15, 2024 at 9:20 AM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 16, 2024 at 9:58 AM
Static CVE Timeline Graph

Affected Systems

Taismartfactory/qplant_sf
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

NA - CVE-2024-9925 - SQL injection vulnerability in TAI Smart...
SQL injection vulnerability in TAI Smart Factory's QPLANT SF version 1.0. Exploitation of this vulnerability could allow a remote attacker to retrieve all database information by sending a...
SQL injection in QPLANT by TAI Smart Factory
Tai Smart Factory - CRITICAL - CVE-2024-9925 SQL injection vulnerability in TAI Smart Factory's QPLANT SF version 1.0. Exploitation of this vulnerability could allow a remote attacker to retrieve all database information by sending a specially crafted SQL query to the ‘email’ parameter on the ‘RequestPasswordChange’ endpoint.
CVE-2024-9925 | TAI Smart Factory QPLANT SF 1.0 RequestPasswordChange email sql injection
A vulnerability was found in TAI Smart Factory QPLANT SF 1.0 and classified as critical . This issue affects some unknown processing of the file RequestPasswordChange . The manipulation of the argument email leads to sql injection. The identification of this vulnerability is CVE-2024-9925 . The attack may be initiated remotely. There is no exploit available.
CVE-2024-9925
SQL injection vulnerability in TAI Smart Factory's QPLANT SF version 1.0. Exploitation of this vulnerability could allow a remote attacker to retrieve all database information by sending a specially crafted SQL query to the ‘email’ parameter on the ‘RequestPasswordChange’...
CVE-2024-9925 - Tai Smart Factory QPLANT SF SQL Injection Vulnerability
CVE ID : CVE-2024-9925 Published : Oct. 15, 2024, 9:15 a.m. 49 minutes ago Description : SQL injection vulnerability in TAI Smart Factory's QPLANT SF version 1.0. Exploitation of this vulnerability could allow a remote attacker to retrieve all database information by sending a specially crafted SQL query to the ‘email’ parameter on the ‘RequestPasswordChange’ endpoint. Severity: 9.8
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI