CVE-2024-29846

Name of the Vulnerable Software and Affected Versions: Ivanti Endpoint Manager versions prior to 2022 SU5

Description: The issue is related to a SQL Injection vulnerability in the GetVulnerabilitiesDataTable method of Ivanti Endpoint Manager, due to a lack of protection for the SQL query structure. This allows an attacker to execute arbitrary code using a specially crafted query. The vulnerability can be exploited by an authenticated attacker within the same network.

Recommendations: For versions prior to 2022 SU5, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the GetVulnerabilitiesDataTable method until a patch is available.