CVE-2024-29826

Name of the Vulnerable Software and Affected Versions: Ivanti Endpoint Manager versions prior to 2022 SU5

Description: The issue is related to a SQL Injection vulnerability in the GetDBPatches method of Ivanti Endpoint Manager, which fails to properly protect the SQL query structure. This allows a remote attacker to execute arbitrary code using a specially crafted query. The vulnerability can be exploited by an unauthenticated attacker within the same network.

Recommendations: For versions prior to 2022 SU5, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the GetDBPatches method to minimize the risk of exploitation.