CVE-2024-32493
📋 TL;DR
This SQL injection vulnerability in Znuny allows authenticated agents to execute arbitrary SQL commands through the draft form ID parameter in AJAX requests. It affects Znuny LTS versions 6.5.1 through 6.5.7 and Znuny versions 7.0.1 through 7.0.16. Attackers could potentially read, modify, or delete database content.
💻 Affected Systems
- Znuny LTS
- Znuny
📦 What is this software?
Znuny by Znuny
Znuny by Znuny
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, privilege escalation, and potential remote code execution via database functions.
Likely Case
Data theft, manipulation of ticket data, privilege escalation to admin accounts, and potential access to sensitive customer information.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, restricting SQL execution to read-only operations.
🎯 Exploit Status
Exploitation requires authenticated agent credentials. SQL injection via AJAX endpoints is well-understood and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Znuny LTS 6.5.8, Znuny 7.0.17
Vendor Advisory: https://www.znuny.org/en/advisories/zsa-2024-03
Restart Required: Yes
Instructions:
1. Backup your Znuny installation and database. 2. Download the patched version from znuny.org. 3. Follow the official upgrade guide for your version. 4. Restart the Znuny service. 5. Verify the patch is applied.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for draft form ID parameters to only accept numeric values.
WAF Rule
allDeploy web application firewall rules to block SQL injection patterns in AJAX requests.
🧯 If You Can't Patch
- Restrict agent access to only trusted users and implement strict least-privilege principles.
- Monitor and audit all AJAX requests to the draft form endpoint for suspicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check your Znuny version via Admin interface or by examining the package version. If running affected versions (6.5.1-6.5.7 or 7.0.1-7.0.16), you are vulnerable.Check Version:
Check Admin → System → About in Znuny web interface or examine package/installation files.Verify Fix Applied:
Verify version is 6.5.8+ for LTS or 7.0.17+ for Znuny. Test draft form functionality to ensure SQL injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed AJAX requests to draft endpoints
- Agent accounts accessing unusual database tables
Network Indicators:
- SQL keywords in AJAX request parameters
- Unusually long draft ID parameters
- Multiple rapid AJAX requests from single agent
SIEM Query:
source="znuny_logs" AND (url="*AJAX*" AND param="*draft*" AND (value="*SELECT*" OR value="*UNION*" OR value="*INSERT*" OR value="*DELETE*"))