CVE-2024-28145

MEDIUM

Scan2Net < 7.40 - Unauthenticated SQL Injection via GET Parameters

Title source: llm
STIX 2.1

Description

An unauthenticated attacker can perform an SQL injection by accessing the /class/dbconnect.php file and supplying malicious GET parameters. The HTTP GET parameters search, table, field, and value are vulnerable. For example, one SQL injection can be performed on the parameter "field" with the UNION keyword.

References (3)

Core 3
Core References
Various Sources third-party-advisory
https://r.sec-consult.com/imageaccess

Scores

CVSS v3 5.9
EPSS 0.0052
EPSS Percentile 40.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Image Access GmbH/Scan2Net < 7.40
Published Dec 12, 2024
Tracked Since Feb 18, 2026