CVE-2024-22108

Name of the Vulnerable Software and Affected Versions GTB Central Console version 15.17.1-30814.NG

Description An issue was discovered in the method setTermsHashAction at /opt/webapp/lib/PureApi/CCApi.class.php, which is vulnerable to an unauthenticated SQL injection via the API endpoint /ccapi.php. This allows an attacker to change the Administrator password to a known value by executing arbitrary SQL queries.

Recommendations For GTB Central Console version 15.17.1-30814.NG, as a temporary workaround, consider disabling the setTermsHashAction method until a patch is available. Restrict access to the /ccapi.php endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.