CRITICAL🇵🇱 Wersja polska

CVE-2024-38889

CVSS 9.8v3.1pub. 2024-08-02upd. 2026-07-05

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform SQL Injection due to improper neutralization of special elements used in an SQL command.

🤖 AI Analysis
How it works

The vulnerability results from improper neutralization of special characters in SQL commands (CWE-89) and system commands (CWE-78). An attacker remotely, without the need for authentication, can inject malicious input into SQL queries handled by the application. The network attack vector with low complexity (AV:N/AC:L/PR:N/UI:N) means that the exploit can be carried out by any unauthenticated network user.

Impact

An attacker can gain full access to the application database (read, modify, delete data), and in combination with a command injection vulnerability, potentially take control of the server operating system. The consequences include loss of confidentiality, integrity, and data availability.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. As temporary measures, it is recommended to restrict network access to the Caterease application only to trusted IP addresses and implement a Web Application Firewall (WAF) that filters malicious SQL queries.

Who is affected

Horizon Business Services Inc. Caterease versions from 16.0.1.1663 to 24.0.1.2405 and potentially later versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Horizoncloud Caterease

    APP
    Horizoncloud
    16.0.1.1663 – 24.0.1.2405
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiCommand Injection
CWE
References

Related vulnerabilities

CVE-2024-38883CRITICAL9.1PL ✓ten sam produkt

Caterease: obniżenie poziomu szyfrowania przez wybór słabszego algorytmu

CVE-2024-38886CRITICAL9.8PL ✓ten sam produkt

Traffic Injection w Horizoncloud Caterease – brak weryfikacji źródła komunikacji

CVE-2024-38887CRITICAL9.8PL ✓ten sam produkt

Command Injection w Horizoncloud Caterease — zdalne przejęcie systemu OS

CVE-2024-38882CRITICAL9.8PL ✓ten sam produkt

SQL Injection umożliwiający command injection w Horizoncloud Caterease

CVE-2024-38891HIGH7.5ten sam produkt

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versio...