Search criteria
1 vulnerability by Abast
CVE-2024-29732 (GCVE-0-2024-29732)
Vulnerability from cvelistv5 – Published: 2024-03-21 10:37 – Updated: 2024-08-06 14:56
VLAI
Title
SQL Injection vulnerability on SCAN_VISIO eDocument Suite Web Viewer from Abast
Summary
A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via "user" parameter.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Abast | SCAN_VISIO eDocument Suite Web Viewer |
Affected:
3.28.1
|
|
| abast | scan_visio_edocument_suite_web_viewer |
Affected:
3.28.1
cpe:2.3:a:abast:scan_visio_edocument_suite_web_viewer:*:*:*:*:*:*:*:* |
Date Public
2024-03-21 10:32
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-scanvisio-edocument-suite-web-viewer-abast"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:abast:scan_visio_edocument_suite_web_viewer:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scan_visio_edocument_suite_web_viewer",
"vendor": "abast",
"versions": [
{
"status": "affected",
"version": "3.28.1"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T14:50:25.370384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T14:56:52.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SCAN_VISIO eDocument Suite Web Viewer",
"vendor": "Abast",
"versions": [
{
"status": "affected",
"version": "3.28.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Alberto Gasulla"
},
{
"lang": "en",
"type": "other",
"value": "Ismael Pacheco Torrecilla"
}
],
"datePublic": "2024-03-21T10:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via \"user\" parameter."
}
],
"value": "A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. This vulnerability allows an unauthenticated user to retrieve, update and delete all the information of database. This vulnerability was found on login page via \"user\" parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T10:37:42.062Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-scanvisio-edocument-suite-web-viewer-abast"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability has been fixed in later versions."
}
],
"value": "Vulnerability has been fixed in later versions."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection vulnerability on SCAN_VISIO eDocument Suite Web Viewer from Abast",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2024-29732",
"datePublished": "2024-03-21T10:37:08.440Z",
"dateReserved": "2024-03-19T07:42:30.141Z",
"dateUpdated": "2024-08-06T14:56:52.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}