CVE-2024-28094
Published: 07 March 2024
Summary
CVE-2024-28094 is a high-severity SQL Injection (CWE-89) vulnerability in Schoolbox Schoolbox. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25259
Vulnerability details
Chat functionality in Schoolbox application before version 23.1.3 is vulnerable to blind SQL Injection enabling the authenticated attackers to read, modify, and delete database records.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The blind SQL injection in Schoolbox chat allows authenticated attackers to execute arbitrary SQL for reading data from databases (T1213.006), manipulating stored data (T1565.001), destroying data via deletion (T1485), achieved through exploitation of remote services (T1210) or for privilege escalation (T1068).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.