CRITICAL🇵🇱 Wersja polska

CVE-2024-38882

CVSS 9.8v3.1pub. 2024-08-02upd. 2026-07-05

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform command line execution through SQL Injection due to improper neutralization of special elements used in an OS command.

🤖 AI Analysis
How it works

The Caterease application improperly neutralizes special characters passed in SQL queries, which are subsequently interpreted as operating system commands (CWE-78 — improper neutralization of special elements used in an OS command). An attacker can remotely, without authentication, prepare malicious input containing an SQL Injection payload, which consequently leads to execution of arbitrary commands at the operating system level. The attack is possible over the network, does not require user interaction or any privileges.

Impact

An attacker can gain full control over the system — read, modify or delete data, as well as execute arbitrary system commands, which may lead to complete server takeover (RCE).

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is recommended to monitor official vendor channels (caterease.com, horizon.com) for update information. Until the patch is applied, it is recommended to restrict network access to the application only to trusted hosts via firewall.

Who is affected

Horizoncloud Caterease versions from 16.0.1.1663 to 24.0.1.2405 and potentially newer versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Horizoncloud Caterease

    APP
    Horizoncloud
    16.0.1.1663 – 24.0.1.2405
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiCommand Injection
CWE
References

Related vulnerabilities

CVE-2024-38886CRITICAL9.8PL ✓ten sam produkt

Traffic Injection w Horizoncloud Caterease – brak weryfikacji źródła komunikacji

CVE-2024-38887CRITICAL9.8PL ✓ten sam produkt

Command Injection w Horizoncloud Caterease — zdalne przejęcie systemu OS

CVE-2024-38889CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Horizoncloud Caterease — zdalne wykonanie zapytań

CVE-2024-38883CRITICAL9.1PL ✓ten sam produkt

Caterease: obniżenie poziomu szyfrowania przez wybór słabszego algorytmu

CVE-2024-38891HIGH7.5ten sam produkt

An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versio...