CVE-2024-9982
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Summary
AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content.
Impact
This vulnerability allows unauthenticated remote attackers to perform SQL injection attacks. They can potentially read sensitive data from the database, modify existing data, or delete database content. This could lead to unauthorized access to confidential information, data corruption, or service disruption. The attack complexity is low, and no user interaction is required, making it relatively easy for attackers to exploit.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
Based on the provided information, there is no mention of an available patch for this vulnerability.
Mitigation
1. Disable the LINE Campaign Module if not necessary. 2. Implement proper input validation and sanitization for all query parameters. 3. Use parameterized queries or prepared statements to prevent SQL injection. 4. Apply the principle of least privilege to database accounts used by the application. 5. Regularly monitor and audit database activities for suspicious behavior. 6. Keep the AIM LINE Marketing Platform and all associated components up to date with the latest security patches when they become available.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
NVD published the first details for CVE-2024-9982
A CVSS base score of 9.8 has been assigned.
Feedly found the first article mentioning CVE-2024-9982. See article
Feedly estimated the CVSS score as HIGH
EPSS Score was set to: 0.09% (Percentile: 39.8%)