CVE-2024-13979 CRITICAL

CVE-2024-13979: St. Joe ERP System SingleRowQueryConverter SQL Injection

Vendor Hangzhou Shengqiao Technology Co. Ltd.

Product St. Joe ERP System ("圣乔ERP系统")

Weakness CWE-89 · SQLi

Published August 27, 2025

Last update November 28, 2025

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling direct manipulation of the backend database. Successful exploitation may result in unauthorized data access, modification of records, or limited disruption of service. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-04-14 UTC.

Key dates

02Disclosure timeline

August 27, 2025 CVE published

November 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-13979

Related vulnerabilities

Identifiers

CVE CVE-2024-13979

CWE CWE-89

CVSS 9.3 / CRITICAL

Affected versions