cbcvebase.
CVE-2024-39250
published 2024-07-22

CVE-2024-39250: EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.93%
91.0th percentile
EfroTech Timetrax v8.3 was discovered to contain an unauthenticated SQL injection vulnerability via the q parameter in the search web interface.

Affected

1 ranges
VendorProductVersion rangeFixed in
efrotechtimetrax

Detection & IOCsextracted from sources · hover to see the quote

url/search.aspx?q='
url/Login.aspx
othericon_hash=-661694518
  • HTTP 500 response containing both 'Incorrect syntax near' and 'Unclosed quotation mark after the character string' in the body indicates successful SQL injection trigger via the q parameter on /search.aspx
  • Target fingerprinting: confirm EfroTech Timetrax instance by checking for 'TimeTrax - Cloud HR Software' string in the body of /Login.aspx with HTTP 200 and text/html content-type before probing for SQLi
  • The SQL injection is unauthenticated and triggered via the 'q' parameter in the search web interface (GET /search.aspx?q=); no session or authentication cookie is required
  • ·The Nuclei template uses a two-step flow: step 1 confirms the Timetrax login page is present before step 2 fires the SQLi probe. Both conditions must be met for a true positive.
  • ·EPSS score is very high (0.84225, 99.3rd percentile), indicating this vulnerability is actively being exploited or has high exploitation probability in the wild.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.