CVE-2024-29732
📋 TL;DR
An unauthenticated SQL injection vulnerability exists in the SCAN_VISIO eDocument Suite Web Viewer login page via the 'user' parameter. This allows attackers to retrieve, update, or delete all database information without authentication. Organizations using Abast's SCAN_VISIO eDocument Suite Web Viewer are affected.
💻 Affected Systems
- SCAN_VISIO eDocument Suite Web Viewer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, data destruction, and potential lateral movement to other systems.
Likely Case
Data exfiltration of sensitive documents and user information, followed by ransomware deployment or data destruction.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and database permissions are in place.
🎯 Exploit Status
SQL injection via login parameter is trivial to exploit with standard SQLi tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact vendor for patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-scanvisio-edocument-suite-web-viewer-abast
Restart Required: Yes
Instructions:
1. Contact Abast for the security patch
2. Apply patch to all affected systems
3. Restart the web viewer service
4. Verify the fix is working
🔧 Temporary Workarounds
Web Application Firewall Rules
allImplement WAF rules to block SQL injection patterns in the login parameter
WAF-specific rules to block SQL keywords in user parameter
Network Access Control
linuxRestrict access to the login page to trusted IP addresses only
iptables -A INPUT -p tcp --dport [port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [port] -j DROP
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries at the application layer
- Deploy a web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Test the login page with SQL injection payloads in the 'user' parameter (e.g., ' OR '1'='1)Check Version:
Check web viewer interface or configuration files for version informationVerify Fix Applied:
Attempt SQL injection after patch application and verify it's blocked or returns error📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed login attempts with SQL patterns
- Database queries from unexpected sources
Network Indicators:
- SQL keywords in HTTP POST parameters
- Unusual database connection patterns
- High volume of requests to login endpoint
SIEM Query:
source="web_logs" AND (user="*OR*" OR user="*UNION*" OR user="*SELECT*" OR user="*INSERT*" OR user="*DELETE*")