What the vulnerability does
01Description
SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
CVSS base score
6.5/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CISA mandated remediation
02CISA Required Action
As Ivanti CSA 4.6.x has reached End-of-Life status, users are urged to remove CSA 4.6.x from service or upgrade to the 5.0.x line, or later, of supported solution.
Key dates
03Disclosure timeline
October 8, 2024
CVE published
October 21, 2025
Record updated
External resources
04References
NVD — National Vulnerability Database
https://nvd.nist.gov/vuln/detail/CVE-2024-9379
CWE — Common Weakness Enumeration
https://cwe.mitre.org/data/definitions/89.html
CISA KEV Reference
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-C…
CISA KEV Reference
https://nvd.nist.gov/vuln/detail/CVE-2024-9379
Related vulnerabilities
05Related CVE
CVE-2024-5984 itsourcecode Online Bookstore book.php sql injection
CVE-2024-43207 WordPress Unite Gallery Lite plugin <= 1.7.62 - SQL Injection vulnerability
CVE-2023-5047 SQLi in DRDrive
CVE-2024-12978 code-projects Job Recruitment _all_edits.php add_req sql injection
CVE-2024-10658 Tongda OA check_seal.php sql injection
