DataGear <=5.0.0: EL Injection via ConversionSqlParamValueMapper (Critical)
CVE-2024-7552 Published on August 6, 2024
DataGear Data Schema Page ConversionSqlParamValueMapper.java evaluateVariableExpression expression language injection
A vulnerability was found in DataGear up to 5.0.0. It has been declared as critical. Affected by this vulnerability is the function evaluateVariableExpression of the file ConversionSqlParamValueMapper.java of the component Data Schema Page. The manipulation leads to improper neutralization of special elements used in an expression language statement. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273697 was assigned to this vulnerability.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Type
What is an EL Injection Vulnerability?
The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CVE-2024-7552 has been classified to as an EL Injection vulnerability or weakness.
Products Associated with CVE-2024-7552
Want to know whenever a new CVE is published for Datagear? stack.watch will email you.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.