Blind Boolean-Based SQL Injection Vulnerability in Avesko's Template_io.php File
CVE-2024-50584

Currently unrated

Key Information:

Vendor: Image Access Gmbh
Status: Scan2net
Vendor: CVE Published:; 12 December 2024

🔔 Create Image Access Gmbh Vulnerability Alert

What is CVE-2024-50584?

An authenticated attacker with the user/role "Poweruser" can perform an SQL injection by accessing the /class/template_io.php file and supplying malicious GET parameters. The "templates" parameter is vulnerable against blind boolean-based SQL injection attacks. SQL syntax must be injected into the JSON syntax of the templates parameter.

Affected Version(s)

Scan2Net 0

References

https://r.sec-consult.com/imageaccess

third-party-advisory

https://www.imageaccess.de/?page=SupportPortal&lang=en

patch

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Oct 25, 2024

Credit

Daniel Hirschberger (SEC Consult Vulnerability Lab)

Tobias Niemann (SEC Consult Vulnerability Lab)