CVE-2024-33450

Vulnerability

Overview Finereport versions 8.0 and 9.0 are affected by a SQL injection vulnerability that enables unauthenticated remote attackers to execute arbitrary SQL commands. The flaw arises from insufficient sanitization of user-supplied input within the application's query mechanisms, allowing crafted malicious strings to alter the intended SQL logic [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable Finereport application, typically via web interface parameters that concatenate user input directly into SQL statements. No prior authentication is required, and the attack can be carried out over the network. The attacker injects SQL payloads that bypass input validation and are executed by the backend database [1].

Impact

Successful exploitation allows an attacker to retrieve, modify, or delete sensitive data stored in the database. This could include user credentials, business reports, or other confidential information, leading to data breach, data loss, or further compromise of the system. The impact is particularly severe due to the unauthenticated nature of the vulnerability [1].

Mitigation

As of publication, both Finereport 8.0 and 9.0 are confirmed vulnerable. Users are advised to upgrade to a patched version if available, or apply input validation, use parameterized queries, and implement web application firewalls to mitigate the risk. The vendor should be contacted for an official patch [1].