Unauthorized Execution of Arbitrary Code via SQL Injection in Ivanti EPM 2024 Flat
CVE-2024-37381

8HIGH

Key Information:

Vendor: Ivanti
Status: Epm
Vendor: CVE Published:; 29 July 2024

What is CVE-2024-37381?

A vulnerability exists in the Core Server of Ivanti EPM 2024, characterized as an SQL Injection flaw. This issue allows authenticated users within the same network to manipulate SQL queries, potentially leading to the execution of arbitrary code. Attackers able to exploit this vulnerability could gain unauthorized access to sensitive data or execute malicious actions, thereby compromising the integrity and availability of the affected systems.

Affected Version(s)

EPM 2024

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 29, 2024
Vulnerability Reserved
Jun 7, 2024