CVE-2024-57034

CriticalPublic PoC

Published: 17 January 2025

Published

17 January 2025

Modified

14 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0048 65.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-57034 is a SQL injection vulnerability (CWE-89) affecting WeGIA versions prior to 3.2.0. The flaw exists in the query_geracao_auto.php component, where the 'query' parameter fails to properly sanitize user input, allowing malicious SQL code execution. Published on January 17, 2025, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling attackers to extract sensitive data, modify database contents, or disrupt services.

Mitigation guidance is available in the referenced advisories, including vulnerability research at https://github.com/nmmorette/vulnerability-research/tree/main/CVE-2024-57034 and the WeGIA project site at https://www.wegia.org. WeGIA versions 3.2.0 and later address the issue.

Details

CWE(s): CWE-89

Affected Products

wegia

≤ 3.2.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection vulnerability in public-facing web application WeGIA < 3.2.0 enables exploitation of public-facing applications.

References

https://github.com/nmmorette/vulnerability-research/tree/main/CVE-2024-57034
Exploit, Third Party Advisory · cve@mitre.org
https://www.wegia.org
Product · cve@mitre.org