CVE-2024-54794

CVE-2024-54794 affects SpagoBI version 3.5.1, where the script input feature enables arbitrary code execution. This vulnerability, published on 2025-01-21, is classified under CWE-77 (Command Injection) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.

Exploitation requires network access, low complexity, and high privileges (PR:H) but no user interaction. A privileged attacker can leverage the script input feature to execute arbitrary code, achieving high-impact effects with a scope change (S:C), which could result in full compromise of the affected system.

Research on the vulnerability, including potential exploitation details, is documented in the following GitHub repositories: https://github.com/MarioTesoro/CVE-2024-54794 and https://github.com/MarioTesoro/vulnerability-research/tree/main/CVE-2024-54794. No official patches or mitigation guidance from vendor advisories is detailed in the available information.