CVE-2024-9980

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

The ee-class from FormosaSoft contains a vulnerability that does not properly validate a specific page parameter. This allows remote attackers with regular privileges to inject arbitrary SQL commands, potentially compromising the database.

Impact

This vulnerability enables attackers to read, modify, and delete database contents. The potential impacts are severe: 1. Data Breach: Attackers can access sensitive information stored in the database, leading to unauthorized disclosure of confidential data. 2. Data Manipulation: The ability to modify database contents could result in data integrity issues, potentially affecting business operations and decision-making processes. 3. Data Loss: The capability to delete database contents could lead to significant data loss, potentially disrupting business continuity. 4. Privilege Escalation: Depending on the database contents and structure, attackers might be able to escalate their privileges within the system. 5. System Compromise: In some cases, SQL injection vulnerabilities can be leveraged to execute operating system commands, potentially leading to full system compromise.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the vulnerability's publication date (2024-10-15), there is no specific information provided about an available patch. The security team should closely monitor FormosaSoft's official channels for any security updates or patches addressing this vulnerability.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Input Validation: Implement strict input validation for the affected page parameter, ensuring that only expected and safe input is processed. 2. Parameterized Queries: Use parameterized queries or prepared statements instead of dynamic SQL to prevent SQL injection attempts. 3. Least Privilege: Ensure that database accounts used by the application have the minimum necessary privileges. 4. Web Application Firewall (WAF): Deploy or update WAF rules to detect and block SQL injection attempts. 5. Database Monitoring: Implement robust logging and monitoring of database activities to detect any suspicious queries or unauthorized access attempts. 6. Network Segmentation: If possible, isolate the affected systems to limit potential impact. 7. Regular Security Assessments: Conduct frequent security assessments and penetration testing to identify and address similar vulnerabilities. Given the high severity of this vulnerability (CVSS score 8.8), it is recommended to prioritize these mitigation efforts and closely monitor for the release of an official patch.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9980

Oct 15, 2024 at 8:15 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 15, 2024 at 8:15 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9980. See article

Oct 15, 2024 at 8:18 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 8:18 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 20.1%)

Oct 16, 2024 at 9:58 AM
Static CVE Timeline Graph

Affected Systems

Formosasoft/ee-class
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
US-CERT Vulnerability Summary for the Week of October 14, 2024
Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 [email protected] acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.--Social Link Groups Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309--PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Security Bulletin 16 Oct 2024 - Cyber Security Agency of Singapore
https:// nvd . nist .gov/vuln/detail/ CVE -2024-9985. CVE -2024-47875, DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML ...
High - CVE-2024-9980 - The ee-class from FormosaSoft does not properly...
The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to inject arbitrary SQL commands to read, modify and delete...
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI