CVE-2024-55971 - Logitime WebClock Unauthenticated RCE

Vendor: Logitime | Product: WebClock | Vulnerable Versions: WebClock <= 5.43.0

Severity

Critical CVSS v3.1 Score: 10.0 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Details

CWE: CWE-89

Description: SQL Injection vulnerability in the default configuration of the Logitime WebClock application allows an unauthenticated attacker to run arbitrary code on the backend database server.

Impact

  • Access Vector (AV): Network
  • Access Complexity (AC): Low
  • Privileges Required (PR): None
  • User Interaction (UI): None
  • Scope (S): Changed
  • Confidentiality (C): High
  • Integrity (I): High
  • Availability (A): High

Advisory

Update to version 5.44.0 or later. Change the default configuration to use a dedicated database user with limited permissions as explained in the documentation.

References

Timeline

  • 2024-01-20: Vulnerability reported to vendor
  • 2024-01-21: Vendor acknowledged the report
  • 2024-01-20: Vendor released version 5.44.0
  • 2025-01-23: Public disclosure