cbcvebase.
CVE-2024-44349
published 2024-10-08

CVE-2024-44349: A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.62%
92.0th percentile
A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB.

Detection & IOCsextracted from sources · hover to see the quote

url/default.aspx
commandaa'union%20select+cast(@@version%20as%20int),null,null--%20-
sigma
Conversion failed when converting the nvarchar value 'Microsoft SQL Server'
  • SQL injection is delivered via the `username` parameter (`UsrAuthLogin`) in a POST to `/default.aspx`. Detection should monitor for UNION-based SQL payloads (e.g., `union select cast(@@version as int)`) in that field.
  • A successful exploitation attempt produces the error string 'Conversion failed when converting the nvarchar value 'Microsoft SQL Server'' in the HTTP response body — monitor web/application logs for this string.
  • The attack is unauthenticated and targets the login portal. The exploit flow first GETs `/default.aspx` to harvest ASP.NET ViewState/EventValidation tokens, then POSTs the injected payload — look for this two-request pattern from the same source IP.
  • Use the Shodan dork `html:"ANTEEO"` to identify exposed AnteeoWMS instances for asset inventory and proactive patching.
  • The POST request uses `Content-Type: application/x-www-form-urlencoded; charset=UTF-8` and includes the `__CALLBACKID=ctl00%24MainContentPlaceHolder%24ASPxCallbackPanel` parameter — this callback mechanism is the injection vector and can be used as a WAF/IDS filter anchor.
  • ·The vulnerability only affects AnteeoWMS versions prior to v4.7.34. Instances running v4.7.34 or later are not affected.
  • ·The underlying database is Microsoft SQL Server; the UNION-based payload and error-based detection string are MSSQL-specific and will not apply to other DB backends.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.