EBM Technologies RISWEB's specific query function parameter does not properly restrict user input, and this feature page is accessible without login. This allows remote attackers to inject SQL commands without authentication, enabling them to read, modify, and delete database records.
References
| Link | Resource |
|---|---|
| https://www.twcert.org.tw/tw/cp-132-7677-b1c0f-1.html |
Configurations
No configuration.
History
15 Feb 2024, 06:23
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2024-02-15 03:15
Updated : 2024-02-15 06:23
NVD link : CVE-2024-26264
Mitre link : CVE-2024-26264
CVE.ORG link : CVE-2024-26264
JSON object : View
Products Affected
No product.
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')