Unauthenticated Remote Attackers Can Inject Arbitrary FetchXml Commands to Read, Modify, and Delete Database Content
CVE-2024-9982
9.8CRITICAL
Key Information
- Vendor
- Esi Technology
- Status
- Aim Line Marketing Platform
- Vendor
- CVE Published:
- 15 October 2024
Summary
AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content.
Affected Version(s)
AIM LINE Marketing Platform <= 5.8.4
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability Reserved.
Vulnerability published.
Collectors
NVD DatabaseMitre Database