Cyber Resilience

CVE-2024-5356

MediumPublic PoC

Published: 26 May 2024

Published
26 May 2024
Modified
26 February 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0418 88.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5356 is a medium-severity SQL Injection (CWE-89) vulnerability in Anji-Plus Aj-Report. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability classified as critical was found in anji-plus AJ-Report versions up to 1.4.1. It is an SQL injection issue (CWE-89) affecting an unknown function in the file /dataSet/testTransform;swagger-ui, where manipulation of the dynSentence argument enables the flaw. The issue can be triggered remotely and carries a CVSS 4.0 score of 5.3 reflecting limited impacts on confidentiality, integrity, and availability when exploited by an authenticated user.

An attacker with low privileges can send a crafted request to the affected endpoint and execute arbitrary SQL statements against the backend database. Publicly disclosed proof-of-concept material demonstrates that the attack requires no user interaction and can be launched over the network, potentially allowing data exfiltration or modification within the scope of the application's database permissions.

The listed references consist of a GitHub issue thread, an attached proof-of-concept PDF, and Vuldb entries that document the flaw and the availability of exploit code; none of the sources describe vendor patches, configuration workarounds, or other mitigation steps. The associated EPSS score reached a modest peak of 0.0634 before receding to its current value of 0.0418, indicating limited and transient public exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in anji-plus AJ-Report up to 1.4.1. Affected is an unknown function of the file /dataSet/testTransform;swagger-ui. The manipulation of the argument dynSentence leads to sql injection. It is possible to launch the…

more

attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-266268.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

anji-plus
aj-report
≤ 1.4.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References