SQL Injection Vulnerability in ESAFENET CDG Product
CVE-2024-10500

8.8HIGH

Key Information:

Vendor
Esafenet
Status
Cdg
Vendor
CVE Published:
30 October 2024

Summary

A critical vulnerability has been identified in the ESAFENET CDG 5 product, specifically within the HookWhiteListService.java file. This vulnerability is tied to the manipulation of the 'policyId' argument, which allows attackers to execute SQL injection attacks. The remote vulnerability poses a serious risk, enabling unauthorized database access and potential data breaches. Despite early communication regarding this issue, the vendor has not issued a response or mitigation guidance, leaving users at risk.

Affected Version(s)

CDG 5

References

https://vuldb.com/?id.282440
vdb-entrytechnical-description
https://vuldb.com/?ctiid.282440
signaturepermissions-required
https://vuldb.com/?submit.427397
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

0menc (VulDB User)
.