SQL injection vulnerability in Gescen

Posted date 03/05/2024
Identificador
INCIBE-2024-0223
Importance
5 - Critical
Affected Resources

Gescen, 2023 version.

Description

INCIBE has coordinated the publication of a vulnerability of critical severity that affects Gescen version 2023, an educational platform created by the software development team of Centros Digitales, which has been discovered by Alberto Gasulla.

This vulnerability has been assigned the following code, base score CVSS v3.1, CVSS vector and vulnerability type CWE:

  • CVE-2024-4466: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89.
Solution

The vulnerability has been fixed in the latest version of the product.

Detail

CVE-2024-4466: SQL injection vulnerability in Gescen on the centrosdigitales.net platform. This vulnerability allows an attacker to send a specially crafted SQL query to the pass parameter and retrieve all the data stored in the database.

References list