CVE-2024-26264

CRITICAL

9.8

Description

EBM Technologies RISWEB's specific query function parameter does not properly restrict user input, and this feature page is accessible without login. This allows remote attackers to inject SQL commands without authentication, enabling them to read, modify, and delete database records.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published2/15/2024

Last Modified1/23/2025

Sourcenvd

Honeypot Sightings0

Affected Products

ebmtech:risweb

Weaknesses (CWE)

CWE-89

References

https://www.twcert.org.tw/tw/cp-132-7677-b1c0f-1.html(twcert@cert.org.tw)

https://www.twcert.org.tw/tw/cp-132-7677-b1c0f-1.html(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.