CVE-2024-58301 identifies a critical SQL injection vulnerability in Purei CMS version 1.0, categorized under CWE-89 for improper neutralization of special elements in SQL commands. The vulnerability is a time-based blind SQL injection, meaning attackers can infer database information by measuring response delays caused by crafted SQL payloads. The flaw exists because certain endpoints, specifically getAllParks.php and events-ajax.php, fail to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. This allows remote, unauthenticated attackers to inject malicious SQL code directly into database queries, potentially leading to unauthorized data disclosure, data modification, or even full database compromise. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. Although no public exploits have been reported yet, the vulnerability's characteristics make it highly exploitable. The lack of available patches or mitigations from the vendor further increases risk. Organizations using Purei CMS 1.0 should consider this a critical threat to their data security and operational integrity.

For European organizations, exploitation of this vulnerability could lead to significant data breaches, including theft of sensitive customer or operational data, unauthorized data manipulation, and potential disruption of services relying on the CMS. Given the critical severity and ease of exploitation, attackers could leverage this flaw to compromise websites and backend databases, damaging organizational reputation and potentially violating GDPR regulations due to unauthorized data exposure. Public-facing Purei CMS installations are particularly vulnerable, increasing the risk of widespread attacks. The integrity of data used for business decisions or public information could be undermined, and attackers might use the compromised CMS as a foothold for further network intrusion. The absence of authentication or user interaction requirements broadens the attack surface, making even smaller organizations with limited security resources vulnerable.

Immediate mitigation steps include implementing strict input validation and sanitization on all user-supplied parameters, especially those handled by getAllParks.php and events-ajax.php endpoints. Employing parameterized queries or prepared statements in the CMS codebase will prevent injection of malicious SQL commands. Organizations should conduct thorough code reviews and penetration testing focused on SQL injection vectors. Deploying Web Application Firewalls (WAFs) with rules targeting SQL injection patterns can provide temporary protection while patches or updates are developed. Monitoring database query logs for unusual delays or anomalous queries can help detect exploitation attempts. If possible, isolate the CMS database with least privilege access and network segmentation to limit damage scope. Organizations should also engage with the vendor or community to obtain patches or updates and plan for CMS upgrades. Finally, regular backups and incident response plans should be in place to recover from potential data compromise.