CVE-2024-5356
Published: 26 May 2024
Summary
CVE-2024-5356 is a medium-severity SQL Injection (CWE-89) vulnerability in Anji-Plus Aj-Report. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A vulnerability classified as critical was found in anji-plus AJ-Report versions up to 1.4.1. It is an SQL injection issue (CWE-89) affecting an unknown function in the file /dataSet/testTransform;swagger-ui, where manipulation of the dynSentence argument enables the flaw. The issue can be triggered remotely and carries a CVSS 4.0 score of 5.3 reflecting limited impacts on confidentiality, integrity, and availability when exploited by an authenticated user.
An attacker with low privileges can send a crafted request to the affected endpoint and execute arbitrary SQL statements against the backend database. Publicly disclosed proof-of-concept material demonstrates that the attack requires no user interaction and can be launched over the network, potentially allowing data exfiltration or modification within the scope of the application's database permissions.
The listed references consist of a GitHub issue thread, an attached proof-of-concept PDF, and Vuldb entries that document the flaw and the availability of exploit code; none of the sources describe vendor patches, configuration workarounds, or other mitigation steps. The associated EPSS score reached a modest peak of 0.0634 before receding to its current value of 0.0418, indicating limited and transient public exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46581
Vulnerability details
A vulnerability, which was classified as critical, was found in anji-plus AJ-Report up to 1.4.1. Affected is an unknown function of the file /dataSet/testTransform;swagger-ui. The manipulation of the argument dynSentence leads to sql injection. It is possible to launch the…
more
attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-266268.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.