CVE-2024-45876

Vulnerability

Description CVE-2024-45876 is an unauthenticated SQL injection vulnerability in the login form of baltic-it TOPqw Webportal version 1.35.283.2. The flaw resides in the POST parameter txtUsername on the page /Apps/TOPqw/Login.aspx. Sending a single quote in the username field triggers an SQL error message, confirming the injection point. The root cause is insufficient sanitization or parameterization of user input before constructing SQL queries. [1]

Exploitation

An attacker can exploit this vulnerability without any prior authentication or network position beyond normal access to the web application's login page. By injecting SQL payloads into the txtUsername parameter, the attacker can manipulate the underlying SQL queries. The presence of SQL error messages simplifies the exploitation process, enabling both manual and automated SQL injection techniques to extract or modify database contents. [1]

Impact

The impact is critical despite the CVSS base score of 6.5 (Medium). A successful SQL injection allows an attacker to gain complete access over the database. The TOPqw Webportal stores sensitive personal information about citizens and confidential documents, such as applications for social matters, for over 12 German federal states. Compromise of this data could lead to severe privacy breaches and potential misuse of information. [1]

Mitigation

The vendor, bit baltic information technologies GmbH, released a fix in version 1.35.283.4. Organizations using the affected version should update immediately. No workarounds are mentioned, but the vendor responded quickly following responsible disclosure. The CVE-2024-45876 is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing. [1]