Multiple vulnerabilities in SportsNET
Posted date 29/08/2024
Identificador
INCIBE-2024-0422
Importance
5 - Critical
Affected Resources
SportsNET, version 4.0.1.
Description
INCIBE has coordinated the publication of 9 vulnerabilities of critical severity affecting SportsNET version 4.0.1, which have been discovered by Asier Barranco of Telefónica Tech.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- From CVE-2024-29723 to CVE-2024-29731: 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89.
Solution
No solution reported at this time.
Detail
SQL injection vulnerabilities in SportsNET affecting version 4.0.1. These vulnerabilities could allow an attacker to retrieve, update and delete all information in the database by sending a specially crafted SQL query.
The list of assigned CVEs is as follows:
- CVE-2024-29723: https://XXXXXXX.saludydesafio.com/conexiones/ax/openTracExt/, parameter categoria;
- CVE-2024-29724: https://XXXXXXX.saludydesafio.com/ax/registerSp/, parameter idDesafio;
- CVE-2024-29725: https://XXXXXXX.saludydesafio.com/app/ax/sort_bloques/, parameter list;
- CVE-2024-29726: https://XXXXXXX.saludydesafio.com/app/ax/setAsRead/, parameter id;
- CVE-2024-29727: https://XXXXXXX.saludydesafio.com/app/ax/sendParticipationRemember/, parameter send;
- CVE-2024-29728: https://XXXXXXX.saludydesafio.com/app/ax/inscribeUsuario/, parameter idDesafio;
- CVE-2024-29729: https://XXXXXXX.saludydesafio.com/app/ax/generateShortURL/, parameter url;
- CVE-2024-29730: https://XXXXXXX.saludydesafio.com/app/ax/consejoRandom/, parameter idCat;
- CVE-2024-29731: https://XXXXXXX.saludydesafio.com/app/ax/checkBlindFields/, parameters idChallenge and idEmpresa.
References list
Etiquetas