CVE-2024-9968

HIGH

NewType WebEIP - Authenticated SQL Injection

Title source: llm
STIX 2.1

Description

WebEIP v3.0 from NewType does not properly validate user input, allowing remote attackers with regular privilege to inject SQL commands to read, modify, and delete data stored in database. The affected product is no longer maintained. It is recommended to upgrade to the new product.

References (2)

Core 2
Core References
Third Party Advisory third-party-advisory
https://www.twcert.org.tw/tw/cp-132-8132-160bb-1.html
Third Party Advisory third-party-advisory
https://www.twcert.org.tw/en/cp-139-8133-2cc3a-2.html

Scores

CVSS v3 8.8
EPSS 0.0063
EPSS Percentile 45.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
newtype/webeip 3.0
Published Oct 15, 2024
Tracked Since Feb 18, 2026