CVE-2024-34256 – OFCMS V1.1.2 contains a SQL injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2024-34256?

CVE-2024-34256 has a CVSS score of 9.8 (CRITICAL). OFCMS V1.1.2 contains a SQL injection vulnerability in the new table function that allows attackers to execute arbitrary SQL commands. This affects all systems running the vulnerable version of OFCMS, potentially compromising database confidentiality, integrity, and availability.

📋 TL;DR

OFCMS V1.1.2 contains a SQL injection vulnerability in the new table function that allows attackers to execute arbitrary SQL commands. This affects all systems running the vulnerable version of OFCMS, potentially compromising database confidentiality, integrity, and availability.

💻 Affected Systems

Products:

OFCMS

Versions: V1.1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the new table function specifically; other functions may not be vulnerable.

📦 What is this software?

Ofcms by Ofcms Project

View all CVEs affecting Ofcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited with readily available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement Input Validation

all

Add strict input validation to reject malicious SQL characters in the new table function.

Use Parameterized Queries

all

Rewrite the vulnerable function to use parameterized queries or prepared statements.

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with SQL injection rules.
Restrict database user permissions to minimize potential damage.

🔍 How to Verify

Check if Vulnerable:

Review the new table function code for SQL injection vulnerabilities or test with SQL injection payloads.

Check Version:

Check the OFCMS version in the application configuration or admin panel.

Verify Fix Applied:

Test the new table function with SQL injection payloads to ensure they are blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or access to unauthorized tables

Network Indicators:

Suspicious HTTP requests containing SQL keywords to the new table endpoint

SIEM Query:

SELECT * FROM web_logs WHERE url LIKE '%newtable%' AND (request_body LIKE '%SELECT%' OR request_body LIKE '%UNION%' OR request_body LIKE '%OR%1=1%')

📊 Metadata

CVE ID: CVE-2024-34256

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 14, 2024

Last Updated: June 3, 2025

🔗 References

https://github.com/ZackSecurity/VulnerReport/blob/cve/ofcms/1.md Exploit,Third Party Advisory
https://github.com/ZackSecurity/VulnerReport/blob/cve/ofcms/1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34256, you might also want to check these: