CVE-2024-12097
Published: 05 March 2025
Summary
CVE-2024-12097 is a critical-severity SQL Injection (CWE-89) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-12097 is an SQL Injection vulnerability (CWE-89), stemming from improper neutralization of special elements used in an SQL command. It affects Boceksoft Informatics E-Travel versions prior to 15.12.2024.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, requiring no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. Remote attackers without authentication can inject malicious SQL queries to potentially extract sensitive data, modify database contents, or disrupt service.
Mitigation involves upgrading to E-Travel version 15.12.2024 or later. Additional details are available in the advisory at https://www.usom.gov.tr/bildirim/tr-25-0053.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54007
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Boceksoft Informatics E-Travel allows SQL Injection. This issue affects E-Travel: before 15.12.2024.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible web application with no authentication required directly enables remote exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted input before it is used in SQL statements, which is the precise failure that enables CVE-2024-12097.
Mandates timely application of vendor patches; the only official fix for this CVE is upgrading E-Travel to version 15.12.2024 or later.
Requires continuous monitoring of system and application behavior that can identify anomalous SQL queries or database errors indicative of injection attempts.