CRITICAL🇵🇱 Wersja polska

CVE-2024-10440

CVSS 9.8v3.1pub. 2024-10-28upd. 2025-09-25

The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents.

🤖 AI Analysis
How it works

The vulnerability results from lack of proper validation and sanitization of input data passed to SQL queries (CWE-89). An attacker can inject malicious SQL commands directly over the network without needing a system account. This allows manipulation of the logic of queries directed to the application database.

Impact

An attacker can read, modify, or delete the contents of the eHDR CTMS system database, which may lead to disclosure of sensitive patient data or disruption of the clinical trial management system.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8169-0632f-2.html)

Who is affected

Sun.Net eHDR CTMS — versions indicated in the manufacturer's references (TWCERT)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Sun.net Ehrd Ctms

    APP
    Sun.Net
    < 10.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-54946CRITICAL9.3PL ✓ten sam produkt

SQL Injection w SUNNET Corporate Training Management System

CVE-2025-54945CRITICAL10.0PL ✓ten sam produkt

RCE poprzez external control of file path w SUNNET CTMS

CVE-2025-54943CRITICAL9.3PL ✓ten sam produkt

Brak autoryzacji w SUNNET CTMS umożliwia nieautoryzowane wdrożenie aplikacji

CVE-2025-54942CRITICAL9.3PL ✓ten sam produkt

Brak uwierzytelnienia w SUNNET CTMS — dostęp do funkcji wdrożeniowych

CVE-2026-7489HIGH8.7ten sam produkt

CTMS developed by Sunnet has a SQL Injection vulnerability, allowing authenticated remote attackers to inject ...