| عنوان | Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-89: Improper Neutralization of Special Elements used in an S |
|---|
| الوصف | NOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE
CVE-2024-38889: An issue in Horizon Business Services Inc. Caterease Software allows a remote
attacker to perform SQL Injection due to improper neutralization of special elements used in an SQL
command.
Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')
Vendor of the Product: Horizon Business Services Inc.
Affected Product: Caterease Software
Affected Versions: 16.0.1.1663 through 24.0.1.2405
Attack Vector: Remote
Attack Type: CAPEC-66: SQL Injection \ CAPEC-594: Traffic Injection
Vulnerability Summary: Caterease Software is vulnerable to SQL Injection due to improper
neutralization of special elements in SQL commands. This vulnerability allows attackers to exploit the
software by injecting malicious SQL queries through TCP packet injection techniques. Attackers can craft
custom TDS payloads that bypass normal input validation and execute arbitrary SQL commands on the
database.
By exploiting this vulnerability, attackers can gain unauthorized access to the SQL database, manipulate or
delete data, and disrupt database services. This can lead to significant security breaches, including the
exposure of sensitive information, unauthorized data modification, and denial of service. The ability to
execute arbitrary SQL commands compromises the confidentiality, integrity, and availability of the SQL
database.
CVSS Base Score: Critical Risk - 9.6
CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitability Metrics
Attack Vector (AV): Adjacent Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Changed
Impact Metrics
Confidentiality (C): High
Integrity (I): High
Availability (A): High |
|---|
| المستخدم | jTag Labs (UID 51246) |
|---|
| ارسال | 30/07/2024 04:59 PM (2 سنوات منذ) |
|---|
| الاعتدال | 01/08/2024 02:15 PM (2 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 273373 [Horizon Business Services Caterease حتى 24.0.1.2405 TCP Packet حقن SQL] |
|---|
| النقاط | 17 |
|---|