CVE-2024-43415

An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write files or execute commands.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/decidim-ice/decidim-module-decidim_awesome/commit/84374037d34a3ac80dc18406834169c65869f11b
https://github.com/decidim-ice/decidim-module-decidim_awesome/security/advisories/GHSA-cxwf-qc32-375f
https://pentest.ait.ac.at/security-advisory/decidim-awesome-sql-injection-in-adminaccountability

Configurations

No configuration.

History

13 Nov 2024, 19:15

Type	Values Removed	Values Added
Summary	(en) An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write ?les or execute commands.	(en) An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write files or execute commands.

13 Nov 2024, 17:01

Type	Values Removed	Values Added
Summary		(es) Una neutralización incorrecta de elementos especiales utilizados en un comando SQL en el modelo papertrail/version del módulo decidim_awesome <= v0.11.1 (> 0.9.0) permite que un usuario administrador autenticado manipule consultas SQL para revelar información, leer y escribir archivos o ejecutar comandos.
Summary	(en) An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write ﬁles or execute commands.	(en) An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information, read and write ?les or execute commands.

12 Nov 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-12 16:15

Updated : 2024-11-13 19:15

NVD link : CVE-2024-43415

Mitre link : CVE-2024-43415

CVE.ORG link : CVE-2024-43415

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

9.0 /10