CVE-2024-9971

The specific query functionality in the FlowMaster BPM Plus from NewType does not properly restrict user input, allowing remote attackers with regular privileges to inject SQL commands to read, modify, or delete database contents.
Configurations

Configuration 1 (hide)

cpe:2.3:a:newtype:flowmaster_bpm_plus:*:*:*:*:*:*:*:*

History

17 Oct 2024, 20:34

Type Values Removed Values Added
References () https://www.twcert.org.tw/en/cp-139-8139-4daab-2.html - () https://www.twcert.org.tw/en/cp-139-8139-4daab-2.html - Third Party Advisory
References () https://www.twcert.org.tw/tw/cp-132-8138-d2bb7-1.html - () https://www.twcert.org.tw/tw/cp-132-8138-d2bb7-1.html - Third Party Advisory
CPE cpe:2.3:a:newtype:flowmaster_bpm_plus:*:*:*:*:*:*:*:*
First Time Newtype
Newtype flowmaster Bpm Plus

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) La funcionalidad de consulta específica en FlowMaster BPM Plus de NewType no restringe adecuadamente la entrada del usuario, lo que permite a atacantes remotos con privilegios regulares inyectar comandos SQL para leer, modificar o eliminar contenidos de la base de datos.

15 Oct 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-15 04:15

Updated : 2024-10-17 20:34


NVD link : CVE-2024-9971

Mitre link : CVE-2024-9971

CVE.ORG link : CVE-2024-9971


JSON object : View

Products Affected

newtype

  • flowmaster_bpm_plus
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')