CVE-2024-28298

SQL injection vulnerability in BM SOFT BMPlanning 1.0.0.1 allows authenticated users to execute arbitrary SQL commands via the SEC_IDF, LIE_IDF, PLANF_IDF, CLI_IDF, DOS_IDF, and possibly other parameters to /BMServerR.dll/BMRest.
Configurations

Configuration 1 (hide)

cpe:2.3:a:e-bmsoft:bmplanning:1.0.0.1:*:*:*:*:*:*:*

History

11 Sep 2024, 14:54

Type Values Removed Values Added
CPE cpe:2.3:a:e-bmsoft:bm_planning:1.0.0.1:*:*:*:*:*:*:* cpe:2.3:a:e-bmsoft:bmplanning:1.0.0.1:*:*:*:*:*:*:*
First Time E-bmsoft bmplanning

11 Sep 2024, 14:44

Type Values Removed Values Added
First Time E-bmsoft bm Planning
E-bmsoft
CPE cpe:2.3:a:e-bmsoft:bm_planning:1.0.0.1:*:*:*:*:*:*:*
References () https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2024-28298_BMPlanning%28BM-Soft%29_Authenticated%20SQLI.pdf - () https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2024-28298_BMPlanning%28BM-Soft%29_Authenticated%20SQLI.pdf - Exploit, Third Party Advisory
References () https://www.e-bmsoft.com/ - () https://www.e-bmsoft.com/ - Product
CVSS v2 : unknown
v3 : 6.0
v2 : unknown
v3 : 8.8

23 Aug 2024, 16:35

Type Values Removed Values Added
CWE CWE-89
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.0

05 Aug 2024, 12:41

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de inyección SQL en BM SOFT BMPlanning 1.0.0.1 permite a usuarios autenticados ejecutar comandos SQL de su elección a través de SEC_IDF, LIE_IDF, PLANF_IDF, CLI_IDF, DOS_IDF y posiblemente otros parámetros de /BMServerR.dll/BMRest.

02 Aug 2024, 19:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-02 19:16

Updated : 2024-09-11 14:54


NVD link : CVE-2024-28298

Mitre link : CVE-2024-28298

CVE.ORG link : CVE-2024-28298


JSON object : View

Products Affected

e-bmsoft

  • bmplanning
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')