Unauthenticated Remote Attackers Can Inject SQL Commands
CVE-2024-7731

9.8CRITICAL

Key Information:

Vendor: Secom
Status: Dr.id Access Control System
Vendor: CVE Published:; 14 August 2024

Summary

The Dr.ID Access Control System from SECOM is susceptible to an SQL injection vulnerability due to inadequate validation of a specific page parameter. This flaw allows unauthorized attackers to execute SQL commands, which could lead to unauthorized access, modification, or deletion of sensitive database information. Proper mitigation measures are necessary to safeguard against potential exploitation of this vulnerability.

Affected Version(s)

Dr.ID Access control system 0 < 3.6.3

References

https://www.twcert.org.tw/tw/cp-132-8005-c3c94-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-8006-036f5-2.html

third-party-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 14, 2024
Vulnerability Reserved
Aug 13, 2024