CVE-2024-9968

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 15, 2024 / Updated: 36d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

WebEIP v3.0 from NewType does not properly validate user input, allowing remote attackers with regular privilege to inject SQL commands to read, modify, and delete data stored in database. The affected product is no longer maintained.

Impact

This vulnerability allows remote attackers with low-level privileges to perform SQL injection attacks. The attacks could result in unauthorized access to, modification of, or deletion of sensitive data stored in the database. Given the high impacts on confidentiality, integrity, and availability, this vulnerability could potentially lead to complete compromise of the affected system's data.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

No patch is available as the affected product (WebEIP v3.0) is no longer maintained.

Mitigation

It is recommended to upgrade to the new product as the affected version is no longer maintained. In the meantime, implement strong input validation, use parameterized queries or stored procedures, and apply the principle of least privilege to database accounts. Additionally, consider implementing a Web Application Firewall (WAF) to help detect and block SQL injection attempts.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9968

Oct 15, 2024 at 3:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 15, 2024 at 3:15 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9968. See article

Oct 15, 2024 at 3:18 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 3:18 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 15, 2024 at 10:16 AM
Static CVE Timeline Graph

Affected Systems

Newtype/webeip
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

【Vulnerability Alert】NewType Infortech WebEIP v3.0 - Major Security Vulnerability (CVE ...
Source: Ministry of education information & communication security contingency platform Ministry of education information & communication security contingency platform
National Institute of Standards and Technology (.gov) - NVD - Home
CVE-2024-9968 - WebEIP v3.0 from NewType does not properly validate user input, allowing remote attackers with regular privilege to inject SQL commands to read, modify, and delete data stored in database. CVE-2024-9969 - NewType WebEIP v3.0 does not properly validate user input, allowing a remote attacker with regular privileges to insert JavaScript into specific parameters, resulting in a Reflected Cross-site Scripting (XSS) attack.
Security Bulletin 16 Oct 2024 - Cyber Security Agency of Singapore
https:// nvd . nist .gov/vuln/detail/ CVE -2024-9985. CVE -2024-47875, DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML ...
NA - CVE-2024-9968 - WebEIP v3.0 from NewType does not properly...
WebEIP v3.0 from NewType does not properly validate user input, allowing remote attackers with regular privilege to inject SQL commands to read, modify, and delete data stored in database. The...
CVE-2024-9968
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI