CVE-2024-29386 is a SQL injection vulnerability discovered in Projeqtor, an open-source project management software, affecting versions up to 11.2.0. The vulnerability exists in the /view/criticalResourceExport.php component, where user-supplied input is not properly sanitized before being incorporated into SQL queries. This improper input validation allows an authenticated user with low privileges to inject malicious SQL commands, potentially leading to unauthorized data disclosure or modification. The CVSS v3.1 score is 5.4 (medium), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), and low privileges (PR:L), with no user interaction (UI:N). The scope is unchanged (S:U), and the impact affects confidentiality and integrity partially (C:L/I:L) but not availability (A:N). The vulnerability is categorized under CWE-89, indicating classic SQL injection issues. Although no known exploits are currently reported in the wild, the vulnerability poses a risk to the confidentiality and integrity of project data managed by Projeqtor. The lack of available patches at the time of publication necessitates immediate attention to access controls and monitoring. This vulnerability highlights the importance of input validation and secure coding practices in web applications handling sensitive project management data.

The primary impact of CVE-2024-29386 is the potential unauthorized disclosure and modification of sensitive project management data within Projeqtor installations. Attackers with low-level authenticated access can exploit the SQL injection flaw to read or alter database contents, potentially exposing confidential project details, resource allocations, or other critical information. While availability is not directly affected, the integrity and confidentiality compromise can lead to significant operational disruptions, loss of trust, and compliance violations. Organizations relying on Projeqtor for managing projects, especially those handling sensitive or regulated data, face risks of data breaches and insider threats. The medium severity rating reflects the requirement for authentication and the limited scope of impact, but the ease of exploitation and network accessibility increase the threat level. Without timely mitigation, attackers could leverage this vulnerability to escalate privileges or pivot to other internal systems.

1. Immediately restrict access to the /view/criticalResourceExport.php endpoint to only trusted and necessary users, ideally limiting it to administrative roles. 2. Implement strict input validation and sanitization on all user inputs, especially those interacting with SQL queries, to prevent injection attacks. 3. Monitor application and database logs for unusual query patterns or errors indicative of SQL injection attempts. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting Projeqtor endpoints. 5. Regularly review user privileges and enforce the principle of least privilege to minimize the impact of compromised accounts. 6. Stay alert for official patches or updates from Projeqtor developers and apply them promptly once available. 7. Consider deploying database activity monitoring tools to detect anomalous queries in real-time. 8. Conduct security assessments or penetration tests focusing on SQL injection vectors in Projeqtor installations. 9. Educate users about the risks of credential sharing and enforce strong authentication mechanisms to reduce unauthorized access risks.