CVE-2024-50706
Published: 04 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-50706 is an unauthenticated SQL injection vulnerability (CWE-89) affecting Uniguest Tripleplay version 23.1 and later. It enables remote attackers to execute arbitrary SQL queries on the backend database. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, lack of privileges or user interaction requirements, and high impacts on confidentiality, integrity, and availability.
Remote attackers without authentication can exploit this vulnerability over the network by injecting malicious SQL payloads into affected endpoints. Successful exploitation allows arbitrary SQL query execution, potentially leading to full database compromise, including data extraction, modification, or deletion, as reflected in the high impact metrics.
Uniguest has published mitigation guidance in its CVE bulletins at https://uniguest.com/cve-bulletins/ and a dedicated vulnerability summary PDF at https://uniguest.com/wp-content/uploads/2025/02/CVE-2024-50706-Vulnerability-Summary.pdf. Security practitioners should consult these advisories for patching instructions and workarounds.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote SQL injection in a public-facing application directly enables exploitation of public-facing applications.