CVE-2024-50584 is an SQL injection vulnerability classified under CWE-89, discovered in Image Access GmbH's Scan2Net product. The flaw exists in the /class/template_io.php file, specifically in the handling of the 'templates' GET parameter, which is vulnerable to blind boolean-based SQL injection attacks. An attacker with authenticated access and the 'Poweruser' role can inject SQL syntax into the JSON structure of the 'templates' parameter, enabling them to manipulate backend database queries. This injection is blind and boolean-based, meaning the attacker can infer data by observing true/false responses without direct data output. The vulnerability requires low attack complexity and privileges but no user interaction. The CVSS v3.1 base score is 4.4, reflecting limited confidentiality and integrity impact and no availability impact. No patches or known exploits have been reported yet. The vulnerability could allow attackers to extract sensitive information or alter data stored in the Scan2Net device's database, potentially compromising device integrity and confidentiality of stored information.

For European organizations, the impact primarily concerns confidentiality and integrity of data managed by Scan2Net devices. Attackers with Poweruser credentials could extract sensitive configuration or user data or modify stored information, potentially disrupting workflows or exposing sensitive scanning data. While availability is not affected, unauthorized data manipulation could undermine trust in document management processes. Organizations in sectors relying on Scan2Net for document scanning and archiving—such as government agencies, legal firms, and healthcare providers—may face compliance and privacy risks if exploited. The requirement for authenticated access limits remote exploitation but insider threats or compromised credentials could enable attacks. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation.

Since no official patch is currently available, organizations should implement compensating controls. These include restricting 'Poweruser' role assignments to trusted personnel only and enforcing strong authentication mechanisms to reduce risk of credential compromise. Network segmentation should isolate Scan2Net devices from untrusted networks to limit attacker access. Monitoring and logging of access to the /class/template_io.php endpoint and unusual query patterns can help detect exploitation attempts. If possible, disable or restrict access to the vulnerable endpoint or parameters. Regularly review and update device firmware and software to apply patches once released by Image Access GmbH. Additionally, conduct security awareness training for users with elevated privileges to recognize and report suspicious activity.