CVE-2024-5350 Overview
CVE-2024-5350 is a SQL injection vulnerability in anji-plus AJ-Report versions up to 1.4.1. The flaw resides in the pageList function exposed through the /pageList endpoint. Attackers can manipulate the p parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely over the network and requires only low privileges. Public disclosure of the exploit details has occurred, increasing the risk of opportunistic attacks against exposed AJ-Report deployments. The issue is tracked as VulDB identifier 266262 and classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Remote attackers with low privileges can inject SQL commands through the p parameter of /pageList, leading to unauthorized data access and integrity loss in AJ-Report deployments.
Affected Products
- anji-plus AJ-Report versions up to and including 1.4.1
- Deployments exposing the /pageList endpoint to untrusted networks
- Reporting environments built on the anji-plus AJ-Report platform
Discovery Timeline
- 2024-05-25 - CVE-2024-5350 published to NVD
- 2025-03-01 - Last updated in NVD database
Technical Details for CVE-2024-5350
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-controlled input passed to the pageList function in AJ-Report. The p argument supplied through the /pageList request is concatenated into a SQL statement without adequate sanitization or parameterized binding. Attackers can submit crafted payloads that alter the structure of the resulting query.
Successful exploitation allows the attacker to read data outside of the intended scope, modify backend records, or enumerate database schema. The EPSS score for this issue is approximately 0.072%, reflecting limited observed exploitation activity at this time. However, public disclosure of exploit details lowers the barrier to weaponization.
Because AJ-Report is a reporting tool, the affected database typically contains business intelligence data, dashboard definitions, and account information. Compromise of this data yields direct value to attackers.
Root Cause
The root cause is the absence of input validation and prepared statements for the p parameter in the pageList handler. User input is treated as trusted SQL fragments rather than as data values. This violates secure coding patterns required to prevent injection attacks classified under [CWE-89].
Attack Vector
The attack vector is network-based. An authenticated user with low privileges sends an HTTP request to /pageList and supplies a malicious value in the p argument. The injected SQL executes within the database context used by the AJ-Report application.
The vulnerability mechanism follows standard SQL injection patterns. See the GitHub Issue Discussion #34 and the GitHub Project Report PDF for technical details published by the reporter.
Detection Methods for CVE-2024-5350
Indicators of Compromise
- HTTP requests to /pageList containing SQL metacharacters such as single quotes, UNION, SELECT, --, or /* inside the p parameter.
- Database error messages or unusually large response sizes returned from /pageList requests.
- Unexpected outbound database queries originating from the AJ-Report application user.
- Authentication logs showing low-privileged accounts making repeated requests to /pageList.
Detection Strategies
- Inspect web server and reverse proxy logs for /pageList requests with anomalous p parameter values.
- Enable database query logging and alert on queries containing tautologies such as 1=1, OR 1=1, or stacked statements.
- Deploy a web application firewall (WAF) ruleset tuned for SQL injection patterns targeting AJ-Report endpoints.
- Correlate authentication events with downstream database activity to identify abnormal data access volumes.
Monitoring Recommendations
- Forward AJ-Report application, web server, and database logs to a centralized analytics platform for retention and correlation.
- Alert on bursts of /pageList requests from a single source IP within short time windows.
- Track schema enumeration patterns such as queries against information_schema originating from the AJ-Report database account.
How to Mitigate CVE-2024-5350
Immediate Actions Required
- Restrict network access to the AJ-Report /pageList endpoint to trusted users and management networks only.
- Review AJ-Report user accounts and remove unused or low-trust accounts that could be leveraged by attackers.
- Apply least-privilege principles to the database account used by AJ-Report so that injection impact is contained.
- Audit recent /pageList traffic and database logs for signs of prior exploitation.
Patch Information
No fixed version is referenced in the published advisory at the time of NVD modification on 2025-03-01. Monitor the anji-plus report GitHub repository and the VulDB #266262 Analysis entry for updates. Upgrade to a version newer than 1.4.1 once a patched release is published by the vendor.
Workarounds
- Place AJ-Report behind a WAF with SQL injection signatures enabled for the /pageList URI.
- Implement reverse-proxy filtering that rejects requests where the p parameter contains SQL syntax characters.
- Disable or block external exposure of the /pageList endpoint until a vendor patch is available.
- Run the AJ-Report database service under a dedicated, minimally privileged account with no DDL or cross-database permissions.
# Example nginx location block to restrict /pageList access by source IP
location /pageList {
allow 10.0.0.0/8;
deny all;
proxy_pass http://aj-report-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
