Platform
php
Component
cigesv2
Fixed in
2.0.1
A critical SQL injection vulnerability (CVE-2024-2723) has been identified in CIGESv2, affecting versions up to and including CIGESv2. This flaw resides within the /ajaxSubServicios.php script, specifically in the 'idServicio' parameter. Successful exploitation allows a remote attacker to extract sensitive data directly from the underlying database. A patch is available in version 2.0.1.
The impact of this SQL injection vulnerability is severe. An attacker can leverage it to bypass authentication and authorization controls, gaining unauthorized access to the entire database. This includes sensitive information such as user credentials, financial records, personally identifiable information (PII), and potentially proprietary business data. The attacker could modify or delete data, leading to data corruption and service disruption. The ability to extract all data makes this a high-impact vulnerability, potentially leading to significant financial and reputational damage. While no specific exploitation patterns have been publicly linked to this CVE, SQL injection vulnerabilities are frequently targeted, and the ease of exploitation increases the likelihood of malicious activity.
CVE-2024-2723 was publicly disclosed on March 22, 2024. Its CRITICAL CVSS score indicates a high probability of exploitation. As of this writing, there are no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation suggests it will likely become a target. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CVSS Vector
The primary mitigation for CVE-2024-2723 is to immediately upgrade CIGESv2 to version 2.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing temporary workarounds. Input validation and sanitization on the 'idServicio' parameter in /ajaxSubServicios.php can help reduce the attack surface. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts targeting this specific endpoint can provide an additional layer of defense. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack.
Update to the latest version of CIGESv2 that fixes the SQL Injection (SQL Injection) vulnerability. If no version is available, contact the vendor for a patch or an alternative solution. As a temporary measure, validate and escape all user input in the 'idServicio' parameter to prevent the execution of malicious SQL code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-2723 is a critical SQL injection vulnerability in CIGESv2 that allows attackers to retrieve all database data through the /ajaxSubServicios.php script.
You are affected if you are using CIGESv2 version 2.0.0 or earlier. Check your version and upgrade immediately.
Upgrade to CIGESv2 version 2.0.1 or later. As a temporary workaround, implement input validation and WAF rules.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to become a target. Monitor your systems closely.
Refer to the CIGESv2 vendor's official website or security advisory page for the latest information and updates regarding CVE-2024-2723.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.