CVE-2024-12916

High

Published: 24 February 2025

Published

24 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agito Computer Life4All allows SQL Injection.This issue affects Life4All: before 10.01.2025.

Security Summary

CVE-2024-12916 is an SQL injection vulnerability (CWE-89) in Agito Computer Life4All, caused by improper neutralization of special elements used in an SQL command. The issue affects Life4All versions prior to 10.01.2025 and was published on 2025-02-24.

The vulnerability carries a CVSS v3.1 base score of 8.8 (High), with attack vector of network (AV:N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), and unchanged scope (S:U). Low-privileged remote attackers can exploit it to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), enabling arbitrary SQL command execution such as data exfiltration, modification, or deletion.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0042 provides details on the vulnerability. Mitigation involves upgrading to Life4All version 10.01.2025 or later.

Details

CWE(s): CWE-89

References

https://www.usom.gov.tr/bildirim/tr-25-0042
iletisim@usom.gov.tr