CVE-2024-55971
Published: 23 January 2025
Summary
CVE-2024-55971 is a critical-severity SQL Injection (CWE-89) vulnerability in Logitime WebClock (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-55971 is a SQL injection vulnerability (CWE-89) present in the default configuration of the Logitime WebClock application, affecting versions up to and including 5.43.0. This flaw enables an unauthenticated user to execute arbitrary code on the backend database server. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), classifying it as critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, scope change, and high impacts across confidentiality, integrity, and availability.
Any unauthenticated attacker with network access to the vulnerable WebClock instance can exploit this SQL injection flaw without authentication or special privileges. Successful exploitation allows the attacker to run arbitrary SQL commands, potentially leading to full compromise of the backend database server, including data exfiltration, modification, or deletion, as well as potential privilege escalation or lateral movement within the environment.
Mitigation details and further technical information are available in vendor resources and the independent disclosure. Relevant references include the Logitime time-attendance page (https://en.logitime.com/time-attendance/), Dutch Logitime sites (https://nl.logitime.com/ and https://nl.logitime.com/download/webclock-v5-43-0-13-12-2024/), and a detailed disclosure at https://tulling.dev/disclosures/cve-2024-55971/. Security practitioners should review these for patching instructions or configuration hardening guidance specific to WebClock deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52871
Vulnerability details
SQL Injection vulnerability in the default configuration of the Logitime WebClock application <= 5.43.0 allows an unauthenticated user to run arbitrary code on the backend database server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated SQL injection in a publicly accessible web application (WebClock) enabling arbitrary database commands and server compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs, directly preventing SQL injection by rejecting or sanitizing malicious SQL payloads in the WebClock application.
SI-2 mandates timely identification, reporting, and correction of flaws, directly addressing this specific SQL injection vulnerability through patching.
CM-6 enforces secure configuration settings, mitigating the SQL injection flaw present in the default configuration of Logitime WebClock <= 5.43.0.