CVE-2024-9971

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 15, 2024 / Updated: 36d ago

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

The specific query functionality in the FlowMaster BPM Plus from NewType does not properly restrict user input, allowing remote attackers with regular privileges to inject SQL commands to read, modify, or delete database contents.

Impact

This vulnerability allows remote attackers with low-level privileges to execute SQL injection attacks. The potential impacts are severe, as attackers can read, modify, or delete database contents. This could lead to unauthorized access to sensitive information, data manipulation, or data loss. The CVSS v3.1 base score of 8.8 indicates a high severity, with high impacts on confidentiality, integrity, and availability of the system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Based on the provided information, there is no explicit mention of an available patch for this vulnerability.

Mitigation

While no specific mitigation is provided in the vulnerability data, general recommendations for SQL injection vulnerabilities include: 1. Implement proper input validation and sanitization for all user inputs. 2. Use parameterized queries or prepared statements instead of dynamic SQL. 3. Apply the principle of least privilege to database accounts used by the application. 4. Regularly update and patch the FlowMaster BPM Plus software from NewType. 5. Implement a web application firewall (WAF) to help detect and block SQL injection attempts. 6. Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9971

Oct 15, 2024 at 4:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 15, 2024 at 4:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9971. See article

Oct 15, 2024 at 4:24 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 4:24 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 20.1%)

Oct 15, 2024 at 10:16 AM
Static CVE Timeline Graph

Affected Systems

Newtype/flowmaster_bpm_plus
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

【Vulnerability Alert】 Critical Security Vulnerabilities Found in NewType Infortech FlowMaster ...
Source: Ministry of education information & communication security contingency platform 【Vulnerability Alert】 Critical Security Vulnerabilities Found in NewType Infortech FlowMaster BPM Plus [Content]
Security Bulletin 16 Oct 2024 - Cyber Security Agency of Singapore
https:// nvd . nist .gov/vuln/detail/ CVE -2024-9985. CVE -2024-47875, DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML ...
High - CVE-2024-9971 - The specific query functionality in the...
The specific query functionality in the FlowMaster BPM Plus from NewType does not properly restrict user input, allowing remote attackers with regular privileges to inject SQL commands to read,...
CVE-2024-9971 | NewType FlowMaster BPM Plus up to 5.3.0 sql injection
A vulnerability has been found in NewType FlowMaster BPM Plus up to 5.3.0 and classified as critical . Affected by this vulnerability is an unknown functionality. The manipulation leads to sql injection. This vulnerability is known as CVE-2024-9971 . The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
NewType FlowMaster BPM Plus - SQL Injection
Newtype - HIGH - CVE-2024-9971 The specific query functionality in the FlowMaster BPM Plus from NewType does not properly restrict user input, allowing remote attackers with regular privileges to inject SQL commands to read, modify, or delete database contents.
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI