CVE-2024-53678 MEDIUM

CVE-2024-53678: Apache VCL: SQL injection vulnerability in New Block Allocation form

Vendor Apache Software Foundation

Product Apache VCL

Weakness CWE-89 · SQLi

Published March 25, 2025

Last update March 31, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M

What the vulnerability does

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker. This issue affects all versions of Apache VCL from 2.2 through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue.

Key dates

Disclosure timeline

March 25, 2025 CVE published

March 31, 2025 Record updated

Identifiers

CVE CVE-2024-53678

CWE CWE-89

CVSS 5.1 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache VCL

Affected ≥ 2.2 and ≤ 2.5.1