CVE-2024-24004 identifies a critical SQL Injection vulnerability in the jshERP enterprise resource planning software, version 3.3. The vulnerability exists in the DepotHeadController component, specifically within the findInOutDetail() function. This function processes user-supplied 'column' and 'order' parameters that are intended to control SQL query sorting and filtering. However, these parameters are insufficiently sanitized, allowing attackers to craft malicious input that bypasses the application's safeSqlParse method designed to prevent SQL injection. As a result, attackers can inject arbitrary SQL commands directly into the backend database query. This vulnerability is exploitable remotely over the network without requiring authentication or user interaction, making it highly accessible to attackers. The impact includes unauthorized data disclosure, data modification, and potential denial of service by corrupting or deleting database contents. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 9.8, reflecting the critical nature of this flaw with full impact on confidentiality, integrity, and availability, and an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). No patches or known exploits are currently reported, but the severity and ease of exploitation make this a high priority for remediation.

The impact of CVE-2024-24004 on organizations using jshERP v3.3 is severe. Successful exploitation allows remote attackers to execute arbitrary SQL commands on the backend database without authentication, leading to full compromise of sensitive business data. This includes unauthorized access to confidential information such as financial records, inventory data, and operational details. Attackers could modify or delete critical data, disrupting business operations and causing data integrity issues. Additionally, attackers may leverage this access to escalate privileges within the system or pivot to other internal resources, increasing the overall risk. The availability of the ERP system could be compromised through destructive SQL commands, resulting in downtime and operational losses. Given the critical role ERP systems play in enterprise resource management, the vulnerability poses a significant threat to organizational security, compliance, and business continuity worldwide.

To mitigate CVE-2024-24004, organizations should immediately restrict external access to the jshERP application, especially the vulnerable DepotHeadController endpoints, using network segmentation, firewalls, or VPNs. Implement strict input validation and sanitization on the 'column' and 'order' parameters at the application level to prevent malicious SQL payloads. Employ parameterized queries or prepared statements in the codebase to eliminate direct concatenation of user inputs into SQL commands. Monitor application logs and database activity for unusual queries or access patterns indicative of exploitation attempts. If possible, deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting these parameters. Organizations should engage with the jshERP vendor or community to obtain and apply official patches or updates addressing this vulnerability as soon as they become available. Additionally, conduct thorough security assessments and penetration testing on the ERP environment to identify and remediate any other potential injection points.