Submit #383229: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-89: Improper Neutralization of Special Elements used in an Sinfo

TitelHorizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-89: Improper Neutralization of Special Elements used in an S
BeschreibungNOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38889: An issue in Horizon Business Services Inc. Caterease Software allows a remote attacker to perform SQL Injection due to improper neutralization of special elements used in an SQL command. Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Remote Attack Type: CAPEC-66: SQL Injection \ CAPEC-594: Traffic Injection Vulnerability Summary: Caterease Software is vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands. This vulnerability allows attackers to exploit the software by injecting malicious SQL queries through TCP packet injection techniques. Attackers can craft custom TDS payloads that bypass normal input validation and execute arbitrary SQL commands on the database. By exploiting this vulnerability, attackers can gain unauthorized access to the SQL database, manipulate or delete data, and disrupt database services. This can lead to significant security breaches, including the exposure of sensitive information, unauthorized data modification, and denial of service. The ability to execute arbitrary SQL commands compromises the confidentiality, integrity, and availability of the SQL database. CVSS Base Score: Critical Risk - 9.6 CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Exploitability Metrics Attack Vector (AV): Adjacent Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Changed Impact Metrics Confidentiality (C): High Integrity (I): High Availability (A): High
Benutzer
 jTag Labs (UID 51246)
Einreichung30.07.2024 16:59 (vor 2 Jahren)
Moderieren01.08.2024 14:15 (2 days later)
StatusAkzeptiert
VulDB Eintrag273373 [Horizon Business Services Caterease bis 24.0.1.2405 TCP Packet SQL Injection]
Punkte17

Want to know what is going to be exploited?

We predict KEV entries!