CVE-2024-44903
Description
SQL Injection can occur in the SirsiDynix Horizon Information Portal (IPAC20) through 3.25_9382; however, a patch is available from the vendor. This is in ipac.jsp in a SELECT WHERE statement, in a part of the uri= variable in the second part of the full= inner variable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in SirsiDynix Horizon Information Portal allows attackers to read the entire database.
Vulnerability
CVE-2024-44903 is an unauthenticated SQL injection vulnerability in the SirsiDynix Horizon Information Portal (IPAC20) through version 3.25_9382. The flaw exists in ipac.jsp within a SELECT WHERE statement, specifically in the uri= variable nested inside the full= parameter [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication by crafting a malicious URL containing SQL injection payloads in the full parameter. The attack requires no user interaction and has low complexity, making it easily exploitable over the network [1].
Impact
Successful exploitation allows an unauthenticated attacker to gain full read access to the underlying database. This compromises confidentiality of all data stored in the database, including potentially sensitive library patron information [1]. The CVSS score of 7.5 (High) reflects the serious confidentiality impact.
Mitigation
The vendor, SirsiDynix, has released a patch to address this vulnerability. Affected users are advised to contact SirsiDynix to obtain and apply the latest update [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.