Home

Description

SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users.

PUBLISHED Reserved 2024-10-08 | Published 2024-10-30 | Updated 2024-11-04 | Assigner mitre

References

sas.com

github.com/...0140edd6a1455e6157b8ba2f7a67/SQL injection.pdf

cve.org (CVE-2024-48733)

nvd.nist.gov (CVE-2024-48733)

Download JSON