MidnightBSD

Advisories for atisoluciones

CVE-2024-2722

SQL injection vulnerability in the CIGESv2 system, through /ajaxConfigTotem.php, in the 'id' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
atisoluciones ciges 2.0
CVE-2024-2723

SQL injection vulnerability in the CIGESv2 system, through /ajaxSubServicios.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
atisoluciones ciges 2.0
CVE-2024-2724

SQL injection vulnerability in the CIGESv2 system, through /ajaxServiciosAtencion.php, in the 'idServicio' parameter. The exploitation of this vulnerability could allow a remote user to retrieve all data stored in the database by sending a specially crafted SQL query.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
atisoluciones ciges 2.0
CVE-2024-2725

Information exposure vulnerability in the CIGESv2 system. A remote attacker might be able to access /vendor/composer/installed.json and retrieve all installed packages used by the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
atisoluciones ciges 2.0
CVE-2024-2726

Stored Cross-Site Scripting (Stored-XSS) vulnerability affecting the CIGESv2 system, allowing an attacker to execute and store malicious javascript code in the application form without prior registration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
atisoluciones ciges 2.0
CVE-2024-2727

HTML injection vulnerability affecting the CIGESv2 system, which allows an attacker to inject arbitrary code and modify elements of the website and email confirmation message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
atisoluciones ciges 2.0
CVE-2024-2728

Information exposure vulnerability in the CIGESv2 system. This vulnerability could allow a local attacker to intercept traffic due to the lack of proper implementation of the TLS protocol.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve-coordination@incibe.es 4.1 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 0.5 3.6

Products Affected

Vendor Product Version
atisoluciones ciges 2.0