A critical SQL injection vulnerability has been identified in the 2023 version of Gescen, an educational platform developed by Centros Digitales. This vulnerability, discovered by Alberto Gasulla and coordinated by INCIBE, allows attackers to send specially crafted SQL queries to the “pass” parameter, potentially exposing all data stored in the database. The vulnerability, identified as CVE-2024-4466, has a high severity score of 9.8, reflecting its potential impact on confidentiality, integrity, and availability.
Gescen users are strongly urged to update their systems immediately, as the vulnerability has been fixed in the latest version of the product. Failure to do so could result in unauthorized access and data breaches, given the ease with which this vulnerability can be exploited.
The vulnerability leverages CWE-89, a common vulnerability type associated with SQL injection. It underscores the importance of maintaining up-to-date security measures and regularly updating software to protect against known vulnerabilities. Users are advised to download the latest version of Gescen from the official Centros Digitales website and ensure their systems are secured.
INCIBE continues to work closely with developers to identify and mitigate vulnerabilities in widely used software, ensuring the protection of sensitive educational data and maintaining the integrity of digital platforms.
