CVE-2024-44903
Published: 25 March 2025
Summary
CVE-2024-44903 is a high-severity SQL Injection (CWE-89) vulnerability in Artresilia (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-44903 is a SQL injection vulnerability (CWE-89) affecting the SirsiDynix Horizon Information Portal, specifically versions of IPAC20 through 3.25_9382. The flaw resides in the ipac.jsp component, where a SELECT WHERE statement improperly handles user input from the uri= variable within the second part of the full= inner variable, allowing malicious SQL payloads to be injected.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables attackers to achieve high-impact confidentiality violations, such as extracting sensitive data from the underlying database, while integrity and availability remain unaffected.
A patch is available from the vendor to mitigate this issue, as noted in the CVE description. Additional details on exploitation and remediation are provided in advisories at https://www.artresilia.com/cve-2024-44903-sql-injection-vulnerability-in-horizon-information-portal/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54498
Vulnerability details
SQL Injection can occur in the SirsiDynix Horizon Information Portal (IPAC20) through 3.25_9382; however, a patch is available from the vendor. This is in ipac.jsp in a SELECT WHERE statement, in a part of the uri= variable in the second…
more
part of the full= inner variable.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web portal (ipac.jsp) directly enables T1190 for remote unauthenticated data extraction from the database.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user inputs like the uri= variable in ipac.jsp to block SQL injection payloads before they reach the database query.
Mandates identification and timely patching of flaws, directly addressing the vendor-available patch for this SQL injection vulnerability.
Requires vulnerability scanning to identify SQL injection flaws like CVE-2024-44903 and subsequent risk-based remediation.