CVE-2024-26264
CRITICALEBM Technologies RISWEB 1.0-3.0 - Unauthenticated SQL Injection via Query Function Parameter
Title source: llmDescription
EBM Technologies RISWEB's specific query function parameter does not properly restrict user input, and this feature page is accessible without login. This allows remote attackers to inject SQL commands without authentication, enabling them to read, modify, and delete database records.
References (1)
Core 1
Core References
Third Party Advisory third-party-advisory
https://www.twcert.org.tw/tw/cp-132-7677-b1c0f-1.html
Scores
CVSS v3
9.8
EPSS
0.0085
EPSS Percentile
53.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (1)
ebmtech/risweb
1.0 - 3.0
Published
Feb 15, 2024
Tracked Since
Feb 18, 2026