Unauthorized Execution of Arbitrary Code via SQL Injection in Ivanti EPM 2024 Flat
CVE-2024-37381

8.4HIGH

Key Information:

Vendor: Ivanti
Status: Epm
Vendor: CVE Published:; 29 July 2024

Summary

A vulnerability exists in the Core Server of Ivanti EPM 2024, characterized as an SQL Injection flaw. This issue allows authenticated users within the same network to manipulate SQL queries, potentially leading to the execution of arbitrary code. Attackers able to exploit this vulnerability could gain unauthorized access to sensitive data or execute malicious actions, thereby compromising the integrity and availability of the affected systems.

Affected Version(s)

EPM 2024

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM...

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 29, 2024
Vulnerability Reserved
Jun 7, 2024

Collectors

NVD DatabaseMitre Database