SQL Injection Vulnerability in ESAFENET CDG Product
CVE-2024-10597

9.8CRITICAL

Key Information:

Vendor: Esafenet
Status: Cdg
Vendor: CVE Published:; 31 October 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-10597?

A critical security vulnerability has been identified in the ESAFENET CDG 5 product, specifically affecting the delPolicyAction function within PolicyActionService.java. This vulnerability allows attackers to manipulate the 'id' argument, leading to SQL injection attacks. The exploitation of this vulnerability can be carried out remotely, making it particularly severe. Despite early disclosure to the vendor, ESAFENET has not responded, raising concerns about the potential for abuse in the wild. Organizations using the affected version are urged to apply immediate security measures to protect their systems against possible exploitation.

Affected Version(s)

CDG 5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10597 - Proof of Concept

References

https://vuldb.com/?id.282609

vdb-entrytechnical-description

https://vuldb.com/?ctiid.282609

signaturepermissions-required

https://vuldb.com/?submit.431325

third-party-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Oct 31, 2024
👾
Exploit known to exist
Oct 31, 2024
Vulnerability published
Oct 31, 2024
Vulnerability Reserved
Oct 31, 2024

Credit

0menc (VulDB User)

Esafenet

Badges

What is CVE-2024-10597?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline

Credit