CVE-2024-39250
Published: 22 July 2024
Summary
CVE-2024-39250 is a critical-severity SQL Injection (CWE-89) vulnerability in Efrotech Timetrax. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
EfroTech Timetrax v8.3 contains an unauthenticated SQL injection vulnerability via the q parameter in the search web interface. The flaw is tracked as CWE-89 and is rated 9.8 under CVSS 3.1, reflecting network-accessible attack vectors that require no authentication or user interaction and can impact confidentiality, integrity, and availability.
An attacker with network access can supply crafted input through the q parameter to execute arbitrary SQL statements against the underlying database. Successful exploitation can result in data exfiltration, modification, or deletion, as well as potential escalation to full system compromise.
Public references consist of GitHub repositories that document the issue, but no vendor advisories or official patches are referenced in the available data. The associated EPSS score is 0.8843 at both its current and peak values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37880
Vulnerability details
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in the web search interface enables exploitation of a public-facing application (T1190) and arbitrary data collection from the backend database (T1213.006).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.