CVE-2024-28094 - OpenCVE

Chat functionality in Schoolbox application before version 23.1.3 is vulnerable to blind SQL Injection enabling the authenticated attackers to read, modify, and delete database records.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://schoolbox.education/
https://www.themissinglink.com.au/security-advisories/cve-2024-28094

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: TML

Published: 2024-03-07T03:14:25.843Z

Updated: 2024-06-04T18:03:28.556Z

Reserved: 2024-03-04T04:27:20.021Z

Link: CVE-2024-28094

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-03-07T04:15:07.333

Modified: 2024-03-07T13:52:27.110

Link: CVE-2024-28094

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28094", "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "state": "PUBLISHED", "assignerShortName": "TML", "dateReserved": "2024-03-04T04:27:20.021Z", "datePublished": "2024-03-07T03:14:25.843Z", "dateUpdated": "2024-06-04T18:03:28.556Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Schoolbox", "vendor": "Schoolbox Pty Ltd", "versions": [{"lessThan": "23.1.3", "status": "affected", "version": "0", "versionType": "Minor"}]}], "datePublic": "2024-03-06T08:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."}], "value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7 Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "shortName": "TML", "dateUpdated": "2024-03-07T03:14:25.843Z"}, "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"}, {"url": "https://schoolbox.education/"}], "source": {"discovery": "UNKNOWN"}, "title": "Blind SQL Injection in Chat functionality in Schoolbox", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28094", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-07T18:31:38.565724Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:03:28.556Z"}}]}}