CVE-2024-11124

Name of the Vulnerable Software and Affected Versions TimGeyssens UIOMatic version 5

Description A critical vulnerability has been found in the file /src/UIOMatic/wwwroot/backoffice/resources/uioMaticObject.r, which can lead to SQL injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vulnerability is related to the lack of protection of the SQL query structure, allowing an attacker to execute arbitrary SQL code using a specially crafted GET request with a filepath like '/uiomatic/object/GetById?typeAlias=cities&id=10'.

Recommendations For TimGeyssens UIOMatic version 5, as a temporary workaround, consider restricting access to the vulnerable file /src/UIOMatic/wwwroot/backoffice/resources/uioMaticObject.r until a patch is available. Avoid using the filepath '/uiomatic/object/GetById' with parameters like typeAlias and id in GET requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.