Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-36393

9.8CRITICAL

Key Information:

Vendor: Sysaid
Status: Sysaid
Vendor: CVE Published:; 6 June 2024

Summary

An identified vulnerability in SysAid products allows for SQL injection attacks due to improper neutralization of special elements within SQL commands. Attackers can exploit this weakness to manipulate database queries, potentially leading to unauthorized data access, data leakage, or other malicious activities. It is crucial for users of SysAid to be aware of this vulnerability and take necessary precautions to mitigate the associated risks.

Affected Version(s)

SysAid All versions <= 23.3.38

References

https://www.gov.il/en/Departments/faq/cve_advisories

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
May 27, 2024

Credit

Niv Levy, Daniel Shemesh, Or Ida - CyberArk