CVE-2024-24110 is a SQL Injection vulnerability identified in the crmeb_java application before version 1.3.4. The flaw exists in the handling of input parameters sent via a GET request to the /api/front/spread/people endpoint. Due to insufficient input validation and sanitization, attackers with low privileges can inject arbitrary SQL commands into the backend database queries. This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS 3.1 base score is 6.5, reflecting medium severity, with an attack vector of network (remote exploitation), low attack complexity, and requiring privileges but no user interaction. Successful exploitation can lead to unauthorized disclosure of sensitive data from the database, compromising confidentiality. However, the vulnerability does not allow modification or deletion of data (no integrity or availability impact). No public exploit code or active exploitation has been reported to date. The vulnerability was reserved on January 25, 2024, and published on February 29, 2024. No official patches or fixes are linked yet, but upgrading to version 1.3.4 or later is implied to resolve the issue.

The primary impact of CVE-2024-24110 is unauthorized disclosure of sensitive information stored in the backend database of crmeb_java applications. Attackers exploiting this vulnerability can extract confidential data, which may include user information, business data, or other sensitive records. This can lead to privacy violations, regulatory non-compliance, and reputational damage for affected organizations. Since the vulnerability requires low privileges, insider threats or compromised accounts could be leveraged to exploit it. The lack of impact on data integrity or availability reduces the risk of data manipulation or service disruption, but the confidentiality breach alone is significant. Organizations relying on crmeb_java for customer relationship management or related services worldwide could face targeted attacks, especially if they have not applied the necessary updates or mitigations.

Organizations should immediately verify if they are running crmeb_java versions prior to 1.3.4 and plan to upgrade to version 1.3.4 or later where the vulnerability is fixed. In the absence of an official patch, implement strict input validation and sanitization on the /api/front/spread/people endpoint to reject or neutralize malicious SQL payloads. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this endpoint. Limit the privileges of accounts that can access this API to the minimum necessary to reduce exploitation risk. Conduct thorough code reviews and security testing focusing on SQL injection vectors in all API endpoints. Monitor logs for unusual database query patterns or repeated failed attempts to exploit the vulnerability. Additionally, consider database-level protections such as query parameterization and the use of least privilege database accounts to minimize potential damage.