CRITICAL🇵🇱 Wersja polska

CVE-2024-30922

CVSS 9.8v3.1pub. 2024-04-18upd. 2025-11-04

SQL Injection vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the where Clause in Award Document Rendering.

🤖 AI Analysis
How it works

An attacker can inject malicious SQL code through the WHERE clause used during award document rendering. Improper validation or lack of adequate input data sanitization allows manipulation of database queries. Through a properly crafted query, it is possible to execute arbitrary code on the server.

Impact

An attacker can gain full access to the database (read, modify, delete data) and execute arbitrary code on the server, which may lead to complete system takeover.

Mitigation & patch

Apply patches available from the vendor according to the references. It is also recommended to implement validation and sanitization of input data and consider using parameterized queries (prepared statements) as a temporary security measure.

Who is affected

DerbyNet v9.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Derbynet

    APP
    Derbynet
    ≤ 9.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLi
CWE
References

Related vulnerabilities

CVE-2024-30923CRITICAL9.8PL ✓ten sam produkt

SQL Injection z możliwością RCE w DerbyNet v9.0 i wcześniejszych

CVE-2024-31818CRITICAL9.8PL ✓ten sam produkt

Path Traversal z RCE w DerbyNet v.9.0 — komponent kiosk.php

CVE-2024-30920HIGH7.4ten sam produkt

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary co...

CVE-2024-30928HIGH8.1ten sam produkt

SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via ...

CVE-2024-30929HIGH8.0ten sam produkt

Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via t...