CVE-2024-8945 in RISE Ultimate Project Manager
Summary
by MITRE • 09/17/2024
A vulnerability has been found in CodeCanyon RISE Ultimate Project Manager 3.7.0 and classified as critical. This vulnerability affects unknown code of the file /index.php/dashboard/save. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/02/2025
The vulnerability identified as CVE-2024-8945 represents a critical sql injection flaw within the CodeCanyon RISE Ultimate Project Manager version 3.7.0. This security weakness resides in the /index.php/dashboard/save endpoint where improper input validation allows attackers to manipulate the id parameter. The vulnerability classification as critical indicates the potential for severe impact including unauthorized data access, data corruption, and complete system compromise. The attack vector is remote, meaning malicious actors can exploit this weakness without requiring physical access to the target system, making it particularly dangerous in web-facing applications.
The technical exploitation of this vulnerability stems from inadequate sanitization of user-supplied input within the id parameter of the dashboard save functionality. When an attacker submits malicious input through this parameter, the application fails to properly escape or validate the data before incorporating it into sql queries. This allows for arbitrary sql command execution, potentially enabling attackers to extract sensitive information from the database, modify or delete records, or even escalate privileges within the application. The vulnerability directly maps to CWE-89 which defines sql injection as the insertion of malicious sql fragments into input data that is then processed by an application's database layer.
From an operational perspective, this vulnerability creates significant risk for organizations utilizing the RISE Ultimate Project Manager platform. The remote exploitability means that attackers can target the application from anywhere on the internet without requiring prior access to the internal network. Successful exploitation could result in unauthorized access to project data, user credentials, and potentially lead to further lateral movement within compromised networks. The public disclosure of the exploit increases the likelihood of widespread abuse, as threat actors can readily implement the attack without requiring advanced technical skills. This vulnerability also impacts the application's integrity and availability, as attackers could potentially disrupt normal operations through data manipulation or deletion.
Security mitigation strategies for CVE-2024-8945 should prioritize immediate remediation through the vendor-provided update to version 3.7.1 or later. Organizations should implement input validation measures including parameterized queries and proper sanitization of all user inputs before processing. Network-based protections such as web application firewalls and intrusion detection systems can provide additional layers of defense. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other application components. The ATT&CK framework categorizes this vulnerability under T1190 for exploitation of remote services and T1071.004 for application layer protocol usage, highlighting the need for comprehensive defensive measures across multiple security domains. Organizations should also consider implementing database access controls and monitoring for unusual query patterns that might indicate exploitation attempts.