CVE-2024-55212

Vulnerability

Overview

CVE-2024-55212 is a blind SQL injection vulnerability discovered in the DNNGo xBlog plugin version 6.5.0 for DNN (DotNetNuke). The issue resides in the Categorys parameter of the /DNNGo_xBlog/Resource_Service.aspx endpoint. The root cause is the lack of proper input sanitization or parameterized queries when handling user-supplied data in HTTP GET requests, allowing malicious SQL statements to be executed against the underlying MSSQL database [1].

Exploitation

Details

This vulnerability is exploitable without authentication and requires no prior knowledge of the target, as the vulnerable endpoint is publicly accessible. Attackers can send crafted HTTP GET requests containing blind SQL injection payloads through the Categorys parameter. A blind SQLi technique is used because the response does not directly return query results; instead, the attacker infers information by observing differences in HTTP responses (e.g., status codes, timing delays) to determine whether a condition was true or false [1].

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive information from the database, such as user credentials, application data, or configuration details. The attack is limited to data retrieval (read access) and does not appear to enable data modification or command execution based on available information.

Mitigation

As of the publication date, no official patch has been released by DNNGo. Users are advised to apply input validation and parameterized queries as a workaround. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, but given the ease of exploitation, administrators should prioritize mitigation.