提出 #383218: Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-78: Improper Neutralization of Special Elements used in an O情報

タイトルHorizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-78: Improper Neutralization of Special Elements used in an O
説明NOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE CVE-2024-38882: An issue in Horizon Business Services Inc. Caterease Software allows a remote attacker to perform command line execution through SQL Injection due to improper neutralization of special elements used in an OS command. Vulnerability Type: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Vendor of the Product: Horizon Business Services Inc. Affected Product: Caterease Software Affected Versions: 16.0.1.1663 through 24.0.1.2405 Attack Vector: Remote Attack Type: CAPEC-108: Command Line Execution through SQL Injection Vulnerability Summary: Caterease Software is vulnerable to remote code execution through SQL Injection. The improper neutralization of special elements in SQL commands allows attackers to inject and execute arbitrary commands on the SQL server via xp_cmdshell. By exploiting this vulnerability, an attacker can craft malicious SQL queries that are executed with high-level privileges, enabling them to perform unauthorized actions on the server. This includes reading or modifying sensitive data, creating or deleting database objects, and even executing system-level commands. The ability to execute arbitrary commands can lead to unauthorized access to the SQL server, allowing the attacker to manipulate data, disrupt operations, and compromise the entire system. This vulnerability severely impacts the server's confidentiality by exposing sensitive information, the integrity by allowing unauthorized data modifications, and the availability by enabling actions that can disrupt or disable the server. Furthermore, the exploit can serve as a foothold for further attacks within the network, escalating the overall security risk. CVSS Base Score: Critical Risk - 9.6 CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Exploitability Metrics Attack Vector (AV): Adjacent Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Changed Impact Metrics Confidentiality (C): High Integrity (I): High Availability (A): High
ユーザー
 jTag Labs (UID 51246)
送信2024年07月30日 16:53 (2 年 ago)
モデレーション2024年08月01日 14:14 (2 days later)
ステータス承諾済み
VulDBエントリ273366 [Horizon Business Services Caterease 迄 24.0.1.2405 SQL Server xp_cmdshell 特権昇格]
ポイント17

Do you need the next level of professionalism?

Upgrade your account now!