CRITICALCVE-2024-4466CVSS 9.8

CVE-2024-4466: SQL Injection in Gescen 2023–2023

Platform

other

Component

gescen

Fixed in

2023.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2024-4466 describes a critical SQL injection vulnerability discovered in Gescen, specifically affecting versions 2023–2023. An attacker can inject malicious SQL queries through the 'pass' parameter, potentially leading to complete data exfiltration. The vulnerability was published on May 3, 2024, and a fix is available in version 2023.0.1.

Impact and Attack Scenarios

The impact of this SQL injection vulnerability is severe. Successful exploitation allows an attacker to bypass authentication and directly query the underlying database. This could result in the exposure of sensitive information such as user credentials, personal data, financial records, and any other data stored within the database. Depending on the database schema and permissions, an attacker might even be able to modify or delete data, leading to data corruption or denial of service. The ability to extract all data represents a significant data breach risk.

Exploitation Context

While no public exploits are currently known, the severity of the vulnerability (CVSS 9.8) and the ease of exploitation (SQL injection) suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature and severity.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.07% (21% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impacttotal

CVSS Vector

Affected Software

Componentgescen

VendorCentros Digitales

Affected rangeFixed in

2023 version – 2023 version2023.0.1

Weakness Classification (CWE)

CWE-89

Timeline

Reserved2024-05-03
Published2024-05-03
Modified2024-08-01
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-4466 is to immediately upgrade Gescen to version 2023.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the 'pass' parameter. Specifically, look for patterns indicative of SQL injection attempts, such as the use of single quotes, double quotes, semicolons, or SQL keywords. Input validation on the 'pass' parameter is also crucial to prevent malicious input from reaching the database. After upgrading, confirm the fix by attempting a SQL injection attack on the 'pass' parameter and verifying that it is properly sanitized.

How to fix

Update Gescen to a patched version that resolves the (SQL Injection) vulnerability. If no version is available, contact the vendor for a patch or consider disabling the component until a solution is released. Implement input validation and sanitization on the 'pass' parameter to prevent the execution of malicious SQL queries.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-4466 — SQL Injection in Gescen?

CVE-2024-4466 is a critical SQL injection vulnerability affecting Gescen version 2023–2023, allowing attackers to potentially extract all database data.

Am I affected by CVE-2024-4466 in Gescen?

If you are using Gescen version 2023–2023, you are potentially affected. Upgrade to 2023.0.1 to resolve the issue.

How do I fix CVE-2024-4466 in Gescen?

Upgrade Gescen to version 2023.0.1 or implement a WAF rule to filter malicious SQL queries targeting the 'pass' parameter.

Is CVE-2024-4466 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's severity suggests a high probability of exploitation.

Where can I find the official Gescen advisory for CVE-2024-4466?

Refer to the vendor's advisory or security bulletins for specific details and updates regarding CVE-2024-4466.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.