CVE-2024-3704 - Vulnerability Details - OpenCVE

SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00198.

Key SSVC decision points have not yet been added.

Vendors	Products
Opengnsys	Opengnsys

Configuration 1 [-]

cpe:2.3:a:opengnsys:opengnsys:1.1.1d:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-32279	SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database.

Fixes

Solution

The OpenGnsys development team has released a security patch that resolves the reported vulnerabilities. These fixes will be included in the next version to be released shortly.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys

History

Tue, 04 Nov 2025 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opengnsys Opengnsys opengnsys
CPEs		cpe:2.3:a:opengnsys:opengnsys:1.1.1d:::::::*
Vendors & Products		Opengnsys Opengnsys opengnsys

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-04-12T13:47:03.946Z

Updated: 2024-08-01T20:20:01.267Z

Reserved: 2024-04-12T10:44:52.613Z

Link: CVE-2024-3704

Vulnrichment

Updated: 2024-08-01T20:20:01.267Z

NVD

Status : Analyzed

Published: 2024-04-12T14:15:08.743

Modified: 2025-11-04T18:33:49.640

Link: CVE-2024-3704

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3704", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-04-12T10:44:52.613Z", "datePublished": "2024-04-12T13:47:03.946Z", "dateUpdated": "2024-08-01T20:20:01.267Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenGnsys", "vendor": "OpenGnsys", "versions": [{"status": "affected", "version": "1.1.1d"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Pedro Gabald\u00f3n Jul\u00e1"}, {"lang": "en", "type": "finder", "value": "Javier Medina Munuera"}, {"lang": "en", "type": "finder", "value": "Antonio Jos\u00e9 G\u00e1lvez S\u00e1nchez"}], "datePublic": "2024-04-12T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database."}], "value": "SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-07-05T12:44:44.802Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys"}, {"tags": ["patch"], "url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The OpenGnsys development team has released a security patch that resolves the reported vulnerabilities. These fixes will be included in the next version to be released shortly."}], "value": "The OpenGnsys development team has released a security patch that resolves the reported vulnerabilities. These fixes will be included in the next version to be released shortly."}], "source": {"discovery": "UNKNOWN"}, "title": "SQL Injection vulnerability in OpenGnsys", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "opengnsys", "product": "opengnsys", "cpes": ["cpe:2.3:a:opengnsys:opengnsys:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.1.1d", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-18T19:21:20.654359Z", "id": "CVE-2024-3704", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T19:22:05.117Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.267Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys", "tags": ["x_transferred"]}, {"tags": ["patch", "x_transferred"], "url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys", "tags": ["x_transferred"]}, {"url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x", "tags": ["patch", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.267Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3704", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-18T19:21:20.654359Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:opengnsys:opengnsys:*:*:*:*:*:*:*:*"], "vendor": "opengnsys", "product": "opengnsys", "versions": [{"status": "affected", "version": "1.1.1d"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T19:22:01.399Z"}}], "cna": {"title": "SQL Injection vulnerability in OpenGnsys", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pedro Gabald\u00f3n Jul\u00e1"}, {"lang": "en", "type": "finder", "value": "Javier Medina Munuera"}, {"lang": "en", "type": "finder", "value": "Antonio Jos\u00e9 G\u00e1lvez S\u00e1nchez"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenGnsys", "product": "OpenGnsys", "versions": [{"status": "affected", "version": "1.1.1d"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The OpenGnsys development team has released a security patch that resolves the reported vulnerabilities. These fixes will be included in the next version to be released shortly.", "supportingMedia": [{"type": "text/html", "value": "The OpenGnsys development team has released a security patch that resolves the reported vulnerabilities. These fixes will be included in the next version to be released shortly.", "base64": false}]}], "datePublic": "2024-04-12T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys"}, {"url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database.", "supportingMedia": [{"type": "text/html", "value": "SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-07-05T12:44:44.802Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3704", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:20:01.267Z", "dateReserved": "2024-04-12T10:44:52.613Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-04-12T13:47:03.946Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opengnsys:opengnsys:1.1.1d:*:*:*:*:*:*:*", "matchCriteriaId": "01BCA877-074D-4F9B-B82F-6D23F111F9C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection Vulnerability has been found on OpenGnsys product affecting version 1.1.1d (Espeto). This vulnerability allows an attacker to inject malicious SQL code into login page to bypass it or even retrieve all the information stored in the database."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad de inyecci\u00f3n SQL en el producto OpenGnsys que afecta la versi\u00f3n 1.1.1d (Espeto). Esta vulnerabilidad permite a un atacante inyectar c\u00f3digo SQL malicioso en la p\u00e1gina de inicio de sesi\u00f3n para evitarla o incluso recuperar toda la informaci\u00f3n almacenada en la base de datos."}], "id": "CVE-2024-3704", "lastModified": "2025-11-04T18:33:49.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-04-12T14:15:08.743", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Vendor Advisory"], "url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x"}, {"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://opengnsys.es/web/parche-de-seguridad-cve-2024-370x"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-opengnsys"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}