Cyber Resilience

CVE-2024-44903

High

Published: 25 March 2025

Published
25 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 28.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-44903 is a high-severity SQL Injection (CWE-89) vulnerability in Artresilia (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-44903 is a SQL injection vulnerability (CWE-89) affecting the SirsiDynix Horizon Information Portal, specifically versions of IPAC20 through 3.25_9382. The flaw resides in the ipac.jsp component, where a SELECT WHERE statement improperly handles user input from the uri= variable within the second part of the full= inner variable, allowing malicious SQL payloads to be injected.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables attackers to achieve high-impact confidentiality violations, such as extracting sensitive data from the underlying database, while integrity and availability remain unaffected.

A patch is available from the vendor to mitigate this issue, as noted in the CVE description. Additional details on exploitation and remediation are provided in advisories at https://www.artresilia.com/cve-2024-44903-sql-injection-vulnerability-in-horizon-information-portal/.

EU & UK References

Vulnerability details

SQL Injection can occur in the SirsiDynix Horizon Information Portal (IPAC20) through 3.25_9382; however, a patch is available from the vendor. This is in ipac.jsp in a SELECT WHERE statement, in a part of the uri= variable in the second…

more

part of the full= inner variable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing web portal (ipac.jsp) directly enables T1190 for remote unauthenticated data extraction from the database.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Artresilia
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user inputs like the uri= variable in ipac.jsp to block SQL injection payloads before they reach the database query.

prevent

Mandates identification and timely patching of flaws, directly addressing the vendor-available patch for this SQL injection vulnerability.

preventdetect

Requires vulnerability scanning to identify SQL injection flaws like CVE-2024-44903 and subsequent risk-based remediation.

References