CVE-2024-8749

Name of the Vulnerable Software and Affected Versions: idoit pro version 28

Description: The issue is a SQL injection vulnerability that could allow an attacker to send a specially crafted query to the ID parameter in /var/www/html/src/classes/modules/api/model/cmdb/isys api model cmdb objects by relation.class.php and retrieve all the information stored in the database. This vulnerability could be exploited remotely.

Recommendations: For idoit pro version 28, update the software to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the vulnerable API endpoint /var/www/html/src/classes/modules/api/model/cmdb/isys api model cmdb objects by relation.class.php to minimize the risk of exploitation. Avoid using the ID parameter in the affected API endpoint until the issue is resolved.