CVE-2024-26264 CRITICAL

CVE-2024-26264: EBM Technologies RISWEB - SQL Injection

Vendor Ebm Technologies
Product RISWEB
Weakness CWE-89 · SQLi
Published February 15, 2024
Last update August 6, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

EBM Technologies RISWEB's specific query function parameter does not properly restrict user input, and this feature page is accessible without login. This allows remote attackers to inject SQL commands without authentication, enabling them to read, modify, and delete database records.

Key dates

02Disclosure timeline

February 15, 2024 CVE published
August 6, 2024 Record updated