CVE-2024-28298 identifies an SQL injection vulnerability in BM SOFT BMPlanning version 1.0.0.1. The flaw exists in the handling of several parameters—SEC_IDF, LIE_IDF, PLANF_IDF, CLI_IDF, DOS_IDF, and potentially others—passed to the /BMServerR.dll/BMRest endpoint. Authenticated users can exploit this vulnerability by injecting malicious SQL commands through these parameters, which the backend database executes without proper sanitization or parameterization. This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 6.0 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), unchanged scope (S:U), with low confidentiality impact (C:L), high integrity impact (I:H), and low availability impact (A:L). No patches or known exploits are currently available, but the vulnerability poses a risk of unauthorized data manipulation and partial data exposure within the affected application environment.

The vulnerability allows authenticated users to execute arbitrary SQL commands, which can lead to unauthorized modification of critical business planning data, potentially corrupting or altering plans, client information, or other sensitive records. While confidentiality impact is rated low, the high integrity impact means attackers could manipulate data to disrupt business operations or decision-making. Availability impact is low but could occur if injected commands cause database errors or crashes. Organizations relying on BM SOFT BMPlanning for critical planning functions may face operational disruptions, data integrity issues, and potential compliance violations if exploited. The requirement for authentication limits exposure but insider threats or compromised credentials increase risk. No known exploits in the wild reduce immediate threat but vigilance is necessary.

Organizations should implement strict access controls to limit authenticated user privileges to the minimum necessary. Conduct thorough input validation and parameterized queries in the application code to prevent SQL injection. Monitor database logs and application behavior for unusual queries or errors indicating exploitation attempts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the vulnerable parameters. Regularly audit user accounts and credentials to prevent unauthorized access. Since no official patch is currently available, consider isolating or restricting access to the /BMServerR.dll/BMRest endpoint where feasible. Engage with BM SOFT for updates or patches and plan for timely application once released. Conduct penetration testing focused on SQL injection vectors to identify and remediate similar weaknesses.