CVE-2024-55160
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk39th percentile - higher than 39% of all known CVEs
Summary
A SQL injection vulnerability was discovered in GFast versions 2 to 3.2 via the OrderBy parameter at /system/operLog/list. An attacker can manipulate this parameter to execute unauthorized database queries.
Risk Assessment
The risk involves unauthorized access to database data, its modification or deletion, potentially compromising the confidentiality and integrity of organizational data.
Recommendation
Immediately update GFast to the latest available version that fixes this vulnerability. If an update is not possible, implement server-side validation and sanitization of the OrderBy parameter.
Original NVD description (English source)
GFast between v2 to v3.2 was discovered to contain a SQL injection vulnerability via the OrderBy parameter at /system/operLog/list.

