Unauthenticated Remote Attackers Can Inject Arbitrary FetchXml Commands to Read, Modify, and Delete Database Content
CVE-2024-9982

9.8CRITICAL

Key Information:

Vendor: Esi Technology
Status: Aim Line Marketing Platform
Vendor: CVE Published:; 15 October 2024

Summary

The AIM LINE Marketing Platform from Esi Technology exhibits a vulnerability due to improper validation of a specific query parameter when the LINE Campaign Module is activated. This flaw allows unauthenticated remote attackers to inject arbitrary FetchXml commands, enabling them to read, modify, and delete database content. Such unauthorized actions can severely compromise the integrity and confidentiality of sensitive information within the platform. Implementing robust input validation and ensuring the LINE Campaign Module is securely configured are essential steps to mitigate this vulnerability.

Affected Version(s)

AIM LINE Marketing Platform 3.3 <= 5.8.4

References

https://www.twcert.org.tw/tw/cp-132-8146-497a2-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-8147-eb650-2.html

third-party-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 15, 2024
Vulnerability Reserved
Oct 15, 2024

Collectors

NVD DatabaseMitre Database