CVE-2024-39250
published 2024-07-22CVE-2024-39250: EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.93%
91.0th percentile
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| efrotech | timetrax | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP 500 response containing both 'Incorrect syntax near' and 'Unclosed quotation mark after the character string' in the body indicates successful SQL injection trigger via the q parameter on /search.aspx ↗
- →Target fingerprinting: confirm EfroTech Timetrax instance by checking for 'TimeTrax - Cloud HR Software' string in the body of /Login.aspx with HTTP 200 and text/html content-type before probing for SQLi ↗
- →The SQL injection is unauthenticated and triggered via the 'q' parameter in the search web interface (GET /search.aspx?q=); no session or authentication cookie is required ↗
- ·The Nuclei template uses a two-step flow: step 1 confirms the Timetrax login page is present before step 2 fires the SQLi probe. Both conditions must be met for a true positive. ↗
- ·EPSS score is very high (0.84225, 99.3rd percentile), indicating this vulnerability is actively being exploited or has high exploitation probability in the wild. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
EfroTech Timetrax v8.3 - Sql Injection
nuclei·CVSS 9.8
CVE-2024-39250 [CRITICAL] EfroTech Timetrax v8.3 - Sql Injection
EfroTech Timetrax v8.3 - Sql Injection
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
Template:
id: CVE-2024-39250
info:
name: EfroTech Timetrax v8.3 - Sql Injection
author: s4e-io,efran
severity: high
description: |
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.
impact: |
Unauthenticated attackers can execute SQL injection attacks to extract or modify sensitive timetrax database information.
remediation: |
Update EfroTech Timetrax to a version later than v8.3 that patches the SQL injection vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-39250
- https://www.tenable.com/cv
No writeups or analysis indexed.
2024-07-22
Published