Cyber Posture

CVE-2024-44903

High

Published: 25 March 2025

Published
25 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0007 20.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-44903 is a SQL injection vulnerability (CWE-89) affecting the SirsiDynix Horizon Information Portal, specifically versions of IPAC20 through 3.25_9382. The flaw resides in the ipac.jsp component, where a SELECT WHERE statement improperly handles user input from the uri= variable within the second part of the full= inner variable, allowing malicious SQL payloads to be injected.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation enables attackers to achieve high-impact confidentiality violations, such as extracting sensitive data from the underlying database, while integrity and availability remain unaffected.

A patch is available from the vendor to mitigate this issue, as noted in the CVE description. Additional details on exploitation and remediation are provided in advisories at https://www.artresilia.com/cve-2024-44903-sql-injection-vulnerability-in-horizon-information-portal/.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing web portal (ipac.jsp) directly enables T1190 for remote unauthenticated data extraction from the database.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References