CVE-2024-55971

CVE-2024-55971 is a SQL injection vulnerability (CWE-89) present in the default configuration of the Logitime WebClock application, affecting versions up to and including 5.43.0. This flaw enables an unauthenticated user to execute arbitrary code on the backend database server. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), classifying it as critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, scope change, and high impacts across confidentiality, integrity, and availability.

Any unauthenticated attacker with network access to the vulnerable WebClock instance can exploit this SQL injection flaw without authentication or special privileges. Successful exploitation allows the attacker to run arbitrary SQL commands, potentially leading to full compromise of the backend database server, including data exfiltration, modification, or deletion, as well as potential privilege escalation or lateral movement within the environment.

Mitigation details and further technical information are available in vendor resources and the independent disclosure. Relevant references include the Logitime time-attendance page (https://en.logitime.com/time-attendance/), Dutch Logitime sites (https://nl.logitime.com/ and https://nl.logitime.com/download/webclock-v5-43-0-13-12-2024/), and a detailed disclosure at https://tulling.dev/disclosures/cve-2024-55971/. Security practitioners should review these for patching instructions or configuration hardening guidance specific to WebClock deployments.