CVE-2024-9379
- EPSS 82.72%
- Published 08.10.2024 17:15:56
- Last modified 10.10.2024 15:53:20
- Source 3c1d8aa1-5a33-4ea4-8992-aadd64
- Teams watchlist Login
- Open Login
SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
09.10.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog
Ivanti Cloud Services Appliance (CSA) SQL Injection Vulnerability
VulnerabilityIvanti Cloud Services Appliance (CSA) contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements.
DescriptionAs Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 82.72% | 0.992 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 | 6.5 | 1.2 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
|
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.