CVE-2024-12097

Critical

Published: 05 March 2025

Published

05 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-12097 is an SQL Injection vulnerability (CWE-89), stemming from improper neutralization of special elements used in an SQL command. It affects Boceksoft Informatics E-Travel versions prior to 15.12.2024.

The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, requiring no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. Remote attackers without authentication can inject malicious SQL queries to potentially extract sensitive data, modify database contents, or disrupt service.

Mitigation involves upgrading to E-Travel version 15.12.2024 or later. Additional details are available in the advisory at https://www.usom.gov.tr/bildirim/tr-25-0053.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in a network-accessible web application with no authentication required directly enables remote exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.usom.gov.tr/bildirim/tr-25-0053
iletisim@usom.gov.tr