Platform
other
Component
scan-visio-edocument-suite-web-viewer
Fixed in
3.28.2
CVE-2024-29732 describes a critical SQL Injection vulnerability discovered in the SCAN_VISIO eDocument Suite Web Viewer. This flaw allows an unauthenticated attacker to manipulate the underlying database, potentially leading to complete data compromise. The vulnerability affects versions 3.28.1 through 3.28.1, and a patch is available in version 3.28.2.
The SQL Injection vulnerability in SCAN_VISIO eDocument Suite Web Viewer poses a severe risk. An attacker can exploit this flaw to bypass authentication and directly interact with the database. This allows them to read sensitive data like user credentials, financial records, and proprietary documents. Furthermore, the attacker can modify or delete data, disrupting operations and potentially causing irreversible damage. The ability to update and delete data grants the attacker near-complete control over the affected system, making it a high-impact vulnerability. Successful exploitation could lead to a complete data breach and significant reputational damage for organizations using the software.
CVE-2024-29732 was publicly disclosed on March 21, 2024. The vulnerability's ease of exploitation, combined with the potential for significant data compromise, suggests a medium probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.14% (34% percentile)
CVSS Vector
The primary mitigation for CVE-2024-29732 is to immediately upgrade to version 3.28.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation on the 'user' parameter in the login page is crucial; implement strict whitelisting and sanitization to prevent malicious SQL code from being injected. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can provide an additional layer of defense. Monitor application logs for suspicious SQL queries and unusual database activity. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection attack on the login page and verifying that the input is properly sanitized and does not result in database errors.
Update SCAN_VISIO eDocument Suite Web Viewer to a version later than 3.28.1, where the SQL Injection vulnerability has been fixed. Contact the vendor Abast for the updated version and installation instructions. As a temporary measure, consider restricting access to the login page until the update is applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-29732 is a critical SQL Injection vulnerability affecting SCAN_VISIO eDocument Suite Web Viewer, allowing unauthorized access and manipulation of the database.
If you are using SCAN_VISIO eDocument Suite Web Viewer versions 3.28.1 through 3.28.1, you are potentially affected by this vulnerability.
Upgrade to version 3.28.2 or later to resolve the vulnerability. Implement input validation as a temporary workaround.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the official SCAN_VISIO security advisory for detailed information and updates regarding CVE-2024-29732.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.