Plataforma
php
Componente
cigesv2
Corrigido em
2.0.1
A critical SQL injection vulnerability (CVE-2024-2723) has been identified in CIGESv2, affecting versions up to and including CIGESv2. This flaw resides within the /ajaxSubServicios.php script, specifically in the 'idServicio' parameter. Successful exploitation allows a remote attacker to extract sensitive data directly from the underlying database. A patch is available in version 2.0.1.
The impact of this SQL injection vulnerability is severe. An attacker can leverage it to bypass authentication and authorization controls, gaining unauthorized access to the entire database. This includes sensitive information such as user credentials, financial records, personally identifiable information (PII), and potentially proprietary business data. The attacker could modify or delete data, leading to data corruption and service disruption. The ability to extract all data makes this a high-impact vulnerability, potentially leading to significant financial and reputational damage. While no specific exploitation patterns have been publicly linked to this CVE, SQL injection vulnerabilities are frequently targeted, and the ease of exploitation increases the likelihood of malicious activity.
CVE-2024-2723 was publicly disclosed on March 22, 2024. Its CRITICAL CVSS score indicates a high probability of exploitation. As of this writing, there are no known public exploits or active campaigns targeting this vulnerability, but the ease of exploitation suggests it will likely become a target. It is not currently listed on the CISA KEV catalog.
Organizations utilizing CIGESv2 for any service, particularly those handling sensitive user data or financial information, are at significant risk. Shared hosting environments where multiple users share the same CIGESv2 instance are especially vulnerable, as a compromise of one user's account could lead to widespread data exposure.
• php / web:
grep -r "idServicio = " /var/www/html/ajaxSubServicios.php• generic web:
curl -I 'http://your-cigesv2-server/ajaxSubServicios.php?idServicio=1' | grep -i 'SQL injection'disclosure
Status do Exploit
EPSS
0.05% (percentil 15%)
Vetor CVSS
The primary mitigation for CVE-2024-2723 is to immediately upgrade CIGESv2 to version 2.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing temporary workarounds. Input validation and sanitization on the 'idServicio' parameter in /ajaxSubServicios.php can help reduce the attack surface. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts targeting this specific endpoint can provide an additional layer of defense. Monitor database logs for suspicious SQL queries that might indicate an ongoing attack.
Actualizar a la última versión de CIGESv2 que corrija la vulnerabilidad de inyección SQL. Si no hay una versión disponible, contacte al proveedor para obtener un parche o una solución alternativa. Como medida temporal, valide y escape todas las entradas del usuario en el parámetro 'idServicio' para prevenir la ejecución de código SQL malicioso.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-2723 is a critical SQL injection vulnerability in CIGESv2 that allows attackers to retrieve all database data through the /ajaxSubServicios.php script.
You are affected if you are using CIGESv2 version 2.0.0 or earlier. Check your version and upgrade immediately.
Upgrade to CIGESv2 version 2.0.1 or later. As a temporary workaround, implement input validation and WAF rules.
While no active exploitation has been confirmed, the ease of exploitation suggests it is likely to become a target. Monitor your systems closely.
Refer to the CIGESv2 vendor's official website or security advisory page for the latest information and updates regarding CVE-2024-2723.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.