CVE-2024-11773: 
Ivanti Cloud Services Appliance vulnerability analysis and mitigation

SQL injection vulnerability (CVE-2024-11773) affects the admin web console of Ivanti Cloud Services Application (CSA) versions prior to 5.0.3. The vulnerability was disclosed on December 10, 2024, and allows a remote authenticated attacker with admin privileges to execute arbitrary SQL statements (NVD, FortiGuard).

The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.1 by Ivanti and 7.2 by NIST. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and no user interaction (UI:N) (NVD).

If successfully exploited, this vulnerability allows an authenticated attacker with administrative privileges to execute arbitrary SQL statements, potentially leading to unauthorized access to or modification of the database, data theft, or data manipulation (Hacker News).

Ivanti has released version 5.0.3 of the Cloud Services Application (CSA) to address this vulnerability. Users are strongly advised to upgrade to this version immediately (Hacker News).