CVE-2024-28094 HIGH

CVE-2024-28094: Blind SQL Injection in Chat functionality in Schoolbox

Vendor Schoolbox Pty Ltd

Product Schoolbox

Weakness CWE-89 · SQLi

Published March 7, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Chat functionality in Schoolbox application before version 23.1.3 is vulnerable to blind SQL Injection enabling the authenticated attackers to read, modify, and delete database records.

Key dates

02Disclosure timeline

March 7, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-28094 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

04Related CVE

CVE-2024-48043 WordPress ShortPixel Image Optimizer plugin <= 5.6.3 - SQL Injection vulnerability CVE-2026-1121 Yonyou KSOA HTTP GET Parameter del_workplan.jsp sql injection CVE-2024-10844 1000 Projects Bookstore Management System search.php sql injection CVE-2021-24340 WP Statistics < 13.0.8 - Unauthenticated SQL Injection CVE-2025-31531 WordPress History Log by click5 plugin <= 1.0.13 - SQL Injection vulnerability