CVE-2024-28298

Name of the Vulnerable Software and Affected Versions BM SOFT BMPlanning version 1.0.0.1

Description The issue allows authenticated users to execute arbitrary SQL commands via parameters such as SEC IDF, LIE IDF, PLANF IDF, CLI IDF, DOS IDF, and possibly others to the "/BMServerR.dll/BMRest" API endpoint.

Recommendations For BM SOFT BMPlanning version 1.0.0.1, consider restricting access to the vulnerable API endpoint "/BMServerR.dll/BMRest" and avoid using the parameters SEC IDF, LIE IDF, PLANF IDF, CLI IDF, DOS IDF until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.