| Название | Horizon Business Services Inc. Caterease Software 16.0.1.1663 through 24.0.1.2405 CWE-89: Improper Neutralization of Special Elements used in an S |
|---|
| Описание | NOTE - This submit shall be embargoed until 14:00 CET on 2024-08-01 - NOTE
CVE-2024-38889: An issue in Horizon Business Services Inc. Caterease Software allows a remote
attacker to perform SQL Injection due to improper neutralization of special elements used in an SQL
command.
Vulnerability Type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')
Vendor of the Product: Horizon Business Services Inc.
Affected Product: Caterease Software
Affected Versions: 16.0.1.1663 through 24.0.1.2405
Attack Vector: Remote
Attack Type: CAPEC-66: SQL Injection \ CAPEC-594: Traffic Injection
Vulnerability Summary: Caterease Software is vulnerable to SQL Injection due to improper
neutralization of special elements in SQL commands. This vulnerability allows attackers to exploit the
software by injecting malicious SQL queries through TCP packet injection techniques. Attackers can craft
custom TDS payloads that bypass normal input validation and execute arbitrary SQL commands on the
database.
By exploiting this vulnerability, attackers can gain unauthorized access to the SQL database, manipulate or
delete data, and disrupt database services. This can lead to significant security breaches, including the
exposure of sensitive information, unauthorized data modification, and denial of service. The ability to
execute arbitrary SQL commands compromises the confidentiality, integrity, and availability of the SQL
database.
CVSS Base Score: Critical Risk - 9.6
CVSS v3.1 Vector: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitability Metrics
Attack Vector (AV): Adjacent Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Changed
Impact Metrics
Confidentiality (C): High
Integrity (I): High
Availability (A): High |
|---|
| Пользователь | jTag Labs (UID 51246) |
|---|
| Представление | 30.07.2024 16:59 (2 лет назад) |
|---|
| Модерация | 01.08.2024 14:15 (2 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 273373 [Horizon Business Services Caterease до 24.0.1.2405 TCP Packet SQL-инъекция] |
|---|
| Баллы | 17 |
|---|