CVE-2024-55971 - Logitime WebClock Unauthenticated RCE

Vendor: Logitime | Product: WebClock <= 5.43.0
10.0 Critical

Vulnerability Details

Description: SQL Injection vulnerability in the default configuration of the Logitime WebClock application <= 5.43.0 allows an unauthenticated user to run arbitrary code on the backend database server. The vulnerability is due to the use of a default database user with full permissions. An attacker can exploit this vulnerability by sending a specially crafted request to the web application, which will execute the payload on the backend database server.

Weakness: [CWE-89] - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Advisory

Update to version 5.44.0 or later and change the configuration to use a dedicated database user with limited permissions as explained in the documentation of the new version.

Metrics

CVSS v3.1 Score: 10.0

  • Access Vector (AV): Network
  • Access Complexity (AC): Low
  • Privileges Required (PR): None
  • User Interaction (UI): None
  • Scope (S): Changed
  • Confidentiality (C): High
  • Integrity (I): High
  • Availability (A): High

Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Timeline

  • 2024-12-12: Vulnerability reported to vendor
  • 2024-12-12: Vendor acknowledged the report
  • 2024-12-13: Vendor asked for testing a patch, which solved the issue
  • 2024-01-20: Vendor released version 5.44.0
  • 2025-01-23: Public disclosure