CVE-2024-7202 - OpenCVE

The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Simopro Technology	Winmatrix3

Configuration 1 [-]

cpe:2.3:a:simopro_technology:winmatrix3:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.twcert.org.tw/en/cp-139-7963-44648-2.html
https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html

History

Tue, 10 Sep 2024 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Simopro Technology Simopro Technology winmatrix3
CPEs		cpe:2.3:a:simopro_technology:winmatrix3::::::::
Vendors & Products		Simopro Technology Simopro Technology winmatrix3

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2024-07-29T03:11:27.355Z

Updated: 2024-08-01T21:52:31.217Z

Reserved: 2024-07-29T01:58:29.886Z

Link: CVE-2024-7202

Vulnrichment

Updated: 2024-08-01T21:52:31.217Z

NVD

Status : Analyzed

Published: 2024-07-29T04:15:02.807

Modified: 2024-09-10T21:11:59.230

Link: CVE-2024-7202

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7202", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-07-29T01:58:29.886Z", "datePublished": "2024-07-29T03:11:27.355Z", "dateUpdated": "2024-08-01T21:52:31.217Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Web", "product": "WinMatrix3", "vendor": "Simopro Technology", "versions": [{"lessThanOrEqual": "1.2.35.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2024-07-29T03:07:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents."}], "value": "The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-07-29T03:11:27.355Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html"}, {"tags": ["vendor-advisory"], "url": "https://www.twcert.org.tw/en/cp-139-7963-44648-2.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update WinMatrix3 Web package to 1.2.35.3 or later version."}], "value": "Update WinMatrix3 Web package to 1.2.35.3 or later version."}], "source": {"advisory": "TVN-202407013", "discovery": "EXTERNAL"}, "title": "Simopro Technology WinMatrix3 Web package - SQL Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "simoprotechnology", "product": "winmatrix3", "cpes": ["cpe:2.3:a:simoprotechnology:winmatrix3:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.35.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-29T13:13:39.396889Z", "id": "CVE-2024-7202", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T16:07:44.862Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:52:31.217Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.twcert.org.tw/en/cp-139-7963-44648-2.html"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://www.twcert.org.tw/en/cp-139-7963-44648-2.html", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:52:31.217Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7202", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-29T13:13:39.396889Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:simoprotechnology:winmatrix3:*:*:*:*:*:*:*:*"], "vendor": "simoprotechnology", "product": "winmatrix3", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.35.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T13:21:58.931Z"}}], "cna": {"title": "Simopro Technology WinMatrix3 Web package - SQL Injection", "source": {"advisory": "TVN-202407013", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Simopro Technology", "product": "WinMatrix3", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.35.3"}], "packageName": "Web", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update WinMatrix3 Web package to 1.2.35.3 or later version.", "supportingMedia": [{"type": "text/html", "value": "Update WinMatrix3 Web package to 1.2.35.3 or later version.", "base64": false}]}], "datePublic": "2024-07-29T03:07:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html", "tags": ["vendor-advisory"]}, {"url": "https://www.twcert.org.tw/en/cp-139-7963-44648-2.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.", "supportingMedia": [{"type": "text/html", "value": "The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-07-29T03:11:27.355Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7202", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:52:31.217Z", "dateReserved": "2024-07-29T01:58:29.886Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2024-07-29T03:11:27.355Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:simopro_technology:winmatrix3:*:*:*:*:*:*:*:*", "matchCriteriaId": "0238C978-C0C1-44CD-AB29-FECBF9CBB1D1", "versionEndIncluding": "1.2.35.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents."}, {"lang": "es", "value": " La funcionalidad de consulta del paquete web WinMatrix3 de Simopro Technology carece de una validaci\u00f3n adecuada de la entrada del usuario, lo que permite a atacantes remotos no autenticados inyectar comandos SQL para leer, modificar y eliminar contenidos de la base de datos."}], "id": "CVE-2024-7202", "lastModified": "2024-09-10T21:11:59.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Secondary"}]}, "published": "2024-07-29T04:15:02.807", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/en/cp-139-7963-44648-2.html"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "twcert@cert.org.tw", "type": "Primary"}]}