Scan free
CRITICALCVE-2024-4228CVSS 9.8

CVE-2024-4228: SQL Injection in Magarsus Consultancy SSO

Platform

other

Component

sso-single-sign-on

Fixed in

1.1

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2024-4228 describes a critical SQL Injection vulnerability discovered in Magarsus Consultancy SSO. This flaw allows attackers to potentially extract sensitive information from the database. The vulnerability affects versions 1.0 through 1.1 of the SSO software. A patch is available in version 1.1.

Impact and Attack Scenarios

The SQL Injection vulnerability in Magarsus Consultancy SSO poses a significant risk to organizations using this software. An attacker could exploit this flaw to bypass authentication mechanisms and gain unauthorized access to the underlying database. This could lead to the exfiltration of sensitive data, including user credentials, configuration details, and potentially other confidential information. Successful exploitation could also allow for modification or deletion of data within the database, leading to disruption of services and potential data loss. The impact is particularly severe given the critical CVSS score of 9.8, indicating a high likelihood of exploitation and significant potential damage.

Exploitation Context

CVE-2024-4228 was publicly disclosed on 2024-06-26. As of this date, there are no publicly known proof-of-concept exploits available. The vulnerability is listed on the NVD and CISA advisories. The EPSS score is likely to be assessed as medium to high due to the critical CVSS score and the potential for significant data exfiltration.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.21% (43% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentsso-single-sign-on
VendorMagarsus Consultancy
Affected rangeFixed in
1.0 – 1.11.1

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-4228 is to immediately upgrade to version 1.1 of Magarsus Consultancy SSO, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries to reduce the attack surface. While not a complete solution, these measures can help to prevent exploitation. Review and restrict database user permissions to limit the potential impact of a successful attack. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on the affected endpoints and verifying that the input is properly sanitized.

How to fix

Update Magarsus Consultancy SSO to version 1.1 or later. This version contains the fix for the SQL Injection vulnerability. See the vendor security advisory for more details on the update.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-4228 — SQL Injection in Magarsus Consultancy SSO?

CVE-2024-4228 is a critical SQL Injection vulnerability affecting Magarsus Consultancy SSO versions 1.0 through 1.1, allowing attackers to potentially extract sensitive data.

Am I affected by CVE-2024-4228 in Magarsus Consultancy SSO?

If you are using Magarsus Consultancy SSO version 1.0 or 1.1, you are affected by this vulnerability and should upgrade immediately.

How do I fix CVE-2024-4228 in Magarsus Consultancy SSO?

The recommended fix is to upgrade to version 1.1 of Magarsus Consultancy SSO. Implement temporary workarounds like input validation if immediate upgrade is not possible.

Is CVE-2024-4228 being actively exploited?

As of the current date, there are no publicly known active exploitation campaigns, but the critical severity warrants immediate attention and remediation.

Where can I find the official Magarsus Consultancy advisory for CVE-2024-4228?

Refer to the Magarsus Consultancy website and relevant security advisories for the official advisory regarding CVE-2024-4228.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs