CVE-2024-41512 – A SQL injection vulnerability in CADClick's ccH... (How to Fix)

Q: What is the severity of CVE-2024-41512?

CVE-2024-41512 has a CVSS score of 8.8 (HIGH). A SQL injection vulnerability in CADClick's ccHandler.aspx file allows remote attackers to execute arbitrary SQL commands via the bomid parameter. This affects all versions of CADClick v1.11.0 and earlier, potentially compromising database integrity and confidentiality.

📋 TL;DR

A SQL injection vulnerability in CADClick's ccHandler.aspx file allows remote attackers to execute arbitrary SQL commands via the bomid parameter. This affects all versions of CADClick v1.11.0 and earlier, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:

CADClick

Versions: v1.11.0 and all earlier versions

Operating Systems: Windows (presumed based on ASP.NET technology)

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the vulnerable ccHandler.aspx file are affected regardless of configuration.

📦 What is this software?

Cadclick by 4pace

View all CVEs affecting Cadclick →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or limited data exposure.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via web requests to ccHandler.aspx.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attacks depending on configuration.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via URL parameter is typically straightforward to exploit with common tools like sqlmap.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None provided in references

Restart Required: No

Instructions:

No official patch available. Contact vendor at http://cadclick.de/ or http://kimweb.de/ for updated version information.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the bomid parameter

Not applicable - requires code modification

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

Not applicable - configuration dependent

🧯 If You Can't Patch

Isolate the CADClick application behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from the application server

🔍 How to Verify

Check if Vulnerable:

Test ccHandler.aspx with SQL injection payloads in bomid parameter (e.g., ccHandler.aspx?bomid=1' OR '1'='1)

Check Version:

Check CADClick version in application interface or configuration files

Verify Fix Applied:

Verify parameterized queries or input validation is implemented in ccHandler.aspx code

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple requests to ccHandler.aspx with suspicious bomid values

Network Indicators:

HTTP requests containing SQL keywords in bomid parameter
Unusual database query patterns from application server

SIEM Query:

web.url="*ccHandler.aspx*" AND (web.param="*bomid=*'*" OR web.param="*bomid=*%27*")

📊 Metadata

CVE ID: CVE-2024-41512

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: October 4, 2024

Last Updated: June 2, 2025

🔗 References

http://cadclick.de/ Product
http://kimweb.de/ Product
https://piuswalter.de/blog/multiple-critical-vulnerabilities-in-cadclick/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41512, you might also want to check these: