CVE-2024-28094 - Vulnerability Details - OpenCVE

Chat functionality in Schoolbox application before version 23.1.3 is vulnerable to blind SQL Injection enabling the authenticated attackers to read, modify, and delete database records.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schoolbox	Schoolbox

Configuration 1 [-]

cpe:2.3:a:schoolbox:schoolbox:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://schoolbox.education/
https://www.themissinglink.com.au/security-advisories/cve-2024-28094

History

Wed, 05 Feb 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Schoolbox Schoolbox schoolbox
CPEs		cpe:2.3:a:schoolbox:schoolbox::::::::
Vendors & Products		Schoolbox Schoolbox schoolbox

MITRE

Status: PUBLISHED

Assigner: TML

Published: 2024-03-07T03:14:25.843Z

Updated: 2024-08-02T00:48:48.241Z

Reserved: 2024-03-04T04:27:20.021Z

Link: CVE-2024-28094

Vulnrichment

Updated: 2024-08-02T00:48:48.241Z

NVD

Status : Analyzed

Published: 2024-03-07T04:15:07.333

Modified: 2025-02-05T17:15:25.047

Link: CVE-2024-28094

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28094", "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "state": "PUBLISHED", "assignerShortName": "TML", "dateReserved": "2024-03-04T04:27:20.021Z", "datePublished": "2024-03-07T03:14:25.843Z", "dateUpdated": "2024-08-02T00:48:48.241Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Schoolbox", "vendor": "Schoolbox Pty Ltd", "versions": [{"lessThan": "23.1.3", "status": "affected", "version": "0", "versionType": "Minor"}]}], "datePublic": "2024-03-06T08:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."}], "value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7 Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "shortName": "TML", "dateUpdated": "2024-03-07T03:14:25.843Z"}, "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"}, {"url": "https://schoolbox.education/"}], "source": {"discovery": "UNKNOWN"}, "title": "Blind SQL Injection in Chat functionality in Schoolbox", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28094", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-07T18:31:38.565724Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:03:28.556Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.241Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094", "tags": ["x_transferred"]}, {"url": "https://schoolbox.education/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094", "tags": ["x_transferred"]}, {"url": "https://schoolbox.education/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.241Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28094", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-07T18:31:38.565724Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:16.393Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Blind SQL Injection in Chat functionality in Schoolbox", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7 Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Schoolbox Pty Ltd", "product": "Schoolbox", "versions": [{"status": "affected", "version": "0", "lessThan": "23.1.3", "versionType": "Minor"}], "defaultStatus": "affected"}], "datePublic": "2024-03-06T08:00:00.000Z", "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"}, {"url": "https://schoolbox.education/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records.", "supportingMedia": [{"type": "text/html", "value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "shortName": "TML", "dateUpdated": "2024-03-07T03:14:25.843Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28094", "state": "PUBLISHED", "dateUpdated": "2024-08-02T00:48:48.241Z", "dateReserved": "2024-03-04T04:27:20.021Z", "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "datePublished": "2024-03-07T03:14:25.843Z", "assignerShortName": "TML"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schoolbox:schoolbox:*:*:*:*:*:*:*:*", "matchCriteriaId": "74EE0444-60C1-4AB1-9D79-4681443BFA26", "versionEndExcluding": "23.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."}, {"lang": "es", "value": "La funcionalidad de chat en la aplicaci\u00f3n Schoolbox anterior a la versi\u00f3n 23.1.3 es vulnerable a la inyecci\u00f3n SQL ciega, lo que permite a los atacantes autenticados leer, modificar y eliminar registros de la base de datos."}], "id": "CVE-2024-28094", "lastModified": "2025-02-05T17:15:25.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vdp@themissinglink.com.au", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-07T04:15:07.333", "references": [{"source": "vdp@themissinglink.com.au", "tags": ["Product"], "url": "https://schoolbox.education/"}, {"source": "vdp@themissinglink.com.au", "tags": ["Third Party Advisory"], "url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://schoolbox.education/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"}], "sourceIdentifier": "vdp@themissinglink.com.au", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "vdp@themissinglink.com.au", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}