PT-2024-24615 · Znuny+1 · Znuny Lts+2
Martino Spagnuolo
·
Published
2024-04-29
·
Updated
2025-09-02
·
CVE-2024-32493
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Znuny LTS versions 6.5.1 through 6.5.7
Znuny versions 7.0.1 through 7.0.16
Description
An issue was discovered where a logged-in agent is able to inject SQL in the
draft form ID parameter of an AJAX request.Recommendations
For Znuny LTS versions 6.5.1 through 6.5.7, update to a version outside of this range to resolve the issue.
For Znuny versions 7.0.1 through 7.0.16, update to a version outside of this range to resolve the issue.
As a temporary workaround, consider restricting access to the AJAX request endpoint to minimize the risk of exploitation.
Avoid using the
draft form ID parameter in the affected AJAX request until the issue is resolved.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Znuny
Znuny Lts