プラットフォーム
other
コンポーネント
fayton-pro-erp
修正版
20250929.0.1
CVE-2024-13150 describes a SQL Injection vulnerability present in Fayton Software and Consulting Services' fayton.Pro ERP. This flaw allows attackers to inject malicious SQL code into database queries, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions of fayton.Pro ERP from 0 through 20250929, and a patch is available in version 20250929.0.1.
Successful exploitation of CVE-2024-13150 could allow an attacker to bypass authentication mechanisms and gain unauthorized access to sensitive data stored within the fayton.Pro ERP database. This includes customer information, financial records, and potentially other confidential business data. The attacker could modify, delete, or exfiltrate this data, leading to significant financial and reputational damage. Furthermore, depending on the database configuration and permissions, an attacker might be able to leverage the SQL injection to execute arbitrary commands on the underlying server, potentially leading to complete system compromise and lateral movement within the network. This vulnerability shares similarities with other SQL injection attacks where attackers have gained control of entire systems by exploiting database vulnerabilities.
CVE-2024-13150 was published on 2025-09-29. The EPSS score is pending evaluation. Public proof-of-concept exploits are not currently known, but the SQL Injection nature of the vulnerability makes it likely that such exploits will emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations utilizing fayton.Pro ERP, particularly those with sensitive financial or customer data, are at significant risk. Businesses relying on older, unpatched versions of the ERP system are especially vulnerable. Shared hosting environments where multiple users share the same database instance are also at increased risk, as a compromise of one user's account could potentially lead to the compromise of the entire database.
• linux / server: Monitor fayton.Pro ERP application logs for unusual SQL query patterns or error messages indicative of injection attempts. Use journalctl -f to monitor real-time log activity.
journalctl -f -u faytonpro_erp• generic web: Use curl to test vulnerable endpoints with common SQL injection payloads (e.g., ' OR '1'='1).
curl 'http://erp.example.com/endpoint?param=' OR '1'='1'• database (mysql): If direct database access is possible, run a query to check for unauthorized users or modified data.
SELECT user, host FROM mysql.user WHERE user NOT IN ('root');disclosure
patch
エクスプロイト状況
EPSS
0.04% (10% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-13150 is to immediately upgrade to version 20250929.0.1 of fayton.Pro ERP. Prior to upgrading, it is highly recommended to create a full backup of the database and system configuration to facilitate rollback in case of unforeseen issues. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious requests. Additionally, review and restrict database user permissions to minimize the potential impact of a successful attack. After upgrading, verify the fix by attempting a SQL injection attack on vulnerable endpoints and confirming that the input is properly sanitized.
Actualizar fayton.pro ERP a una versión posterior a 20250929 que corrija la vulnerabilidad de inyección SQL. Contacte al proveedor para obtener la versión actualizada o un parche de seguridad. Revise el código fuente para identificar y corregir las vulnerabilidades de inyección SQL si la actualización no está disponible.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-13150 is a critical SQL Injection vulnerability in Fayton.Pro ERP allowing attackers to inject malicious SQL code, potentially leading to data breaches and system compromise.
If you are using Fayton.Pro ERP versions 0 through 20250929, you are affected by this vulnerability and need to upgrade immediately.
Upgrade to version 20250929.0.1 of Fayton.Pro ERP. Back up your system before upgrading and consider WAF rules as an interim measure.
While no public exploits are currently known, the SQL Injection nature of the vulnerability suggests exploitation is likely and monitoring is crucial.
Refer to the official Fayton Software and Consulting Services website or security advisory channels for the latest information on CVE-2024-13150.