Summaryinfo

A vulnerability, which was classified as critical, was found in crmeb_java up to 1.3.3. This issue affects some unknown processing of the file /api/front/spread/people of the component GET Request Handler. Executing a manipulation can lead to sql injection. This vulnerability is tracked as CVE-2024-24110. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in crmeb_java up to 1.3.3 (Programming Language Software). It has been declared as critical. This vulnerability affects some unknown functionality of the file /api/front/spread/people of the component GET Request Handler. The manipulation with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

SQL Injection vulnerability in crmeb_java before v1.3.4 allows attackers to run arbitrary SQL commands via crafted GET request to the component /api/front/spread/people.

The weakness was disclosed 02/29/2024. The advisory is shared for download at github.com. This vulnerability was named CVE-2024-24110 since 01/25/2024. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1505.

Upgrading to version 1.3.4 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Programming Language Software

Name

• crmeb_java

Version

• 1.3.0
• 1.3.1
• 1.3.2
• 1.3.3

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion