CVE-2024-9971

{"id": "CVE-2024-9971", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-10-15T04:15:05.080", "references": [{"url": "https://www.twcert.org.tw/en/cp-139-8139-4daab-2.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-8138-d2bb7-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "The specific query functionality in the FlowMaster BPM Plus from NewType does not properly restrict user input, allowing remote attackers with regular privileges to inject SQL commands to read, modify, or delete database contents."}, {"lang": "es", "value": "La funcionalidad de consulta espec\u00edfica en FlowMaster BPM Plus de NewType no restringe adecuadamente la entrada del usuario, lo que permite a atacantes remotos con privilegios regulares inyectar comandos SQL para leer, modificar o eliminar contenidos de la base de datos."}], "lastModified": "2024-10-17T20:34:30.257", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:newtype:flowmaster_bpm_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D115D34-13A3-4B70-8A84-95B8303B3D21", "versionEndExcluding": "5.3.1"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}