{"id":57131,"date":"2025-07-04T11:23:49","date_gmt":"2025-07-04T11:23:49","guid":{"rendered":""},"modified":"2025-09-27T07:38:49","modified_gmt":"2025-09-27T13:38:49","slug":"cve-2024-12150-high-severity-blind-sql-injection-vulnerability-in-eron-software-wowwo-crm","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2024-12150-high-severity-blind-sql-injection-vulnerability-in-eron-software-wowwo-crm\/","title":{"rendered":"<strong>CVE-2024-12150: High Severity Blind SQL Injection Vulnerability in Eron Software Wowwo CRM<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The world of cybersecurity has once again been faced with a critical vulnerability, this time in the Eron Software Wowwo CRM. Identified as CVE-2024-12150, this vulnerability leverages the infamous SQL Injection attack vector, with a specific emphasis on Blind SQL Injection. With a CVSS Severity Score of 9.8, the flaw is a serious threat to any organization using this software. It poses a <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-6510-critical-vulnerability-in-netgear-ex6100-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"63768\">potential risk of system<\/a> compromise and data leakage, which could lead to substantial damage both in terms of financial loss and reputation damage.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2024-12150<br \/>\nSeverity: Critical (CVSS score 9.8)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: None<br \/>\nImpact: Potential <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5867-critical-vulnerability-in-rt-thread-5-1-0-leading-to-system-compromise-or-data-leakage\/\"  data-wpil-monitor-id=\"63911\">system compromise and data<\/a> leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-1597214014\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Eron Software Wowwo CRM | All versions until vendor&#8217;s patch<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The vulnerability, as described, allows an attacker to leverage Blind <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-49853-sql-injection-vulnerability-in-controlid-idsecure-on-premises-versions\/\"  data-wpil-monitor-id=\"64356\">SQL Injection<\/a> techniques. <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-52822-sql-injection-vulnerability-in-iqonic-design-wp-roadmap\/\"  data-wpil-monitor-id=\"63929\">SQL Injection vulnerabilities<\/a> occur when an application fails to properly sanitize user-supplied input before incorporating it into an SQL query. In this case, the application is failing to neutralize <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-50213-special-element-injection-vulnerability-in-apache-airflow-providers-snowflake\/\"  data-wpil-monitor-id=\"63980\">special elements<\/a> used in an SQL command.<br \/>\nA Blind <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-5590-time-based-sql-injection-vulnerability-in-owl-carousel-plugin-for-wordpress\/\"  data-wpil-monitor-id=\"64887\">SQL Injection<\/a> differs from a traditional SQL Injection in that the results of the attack are not visible to the attacker. Instead, the attacker is able to reconstruct the database structure by sending payloads and observing the application&#8217;s response and the time it takes to respond.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-3422823354\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>Here&#8217;s a conceptual example of how the vulnerability might be exploited:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/login HTTP\/1.1\nHost: vulnerable-eron-crm.com\nContent-Type: application\/x-www-form-urlencoded\nusername=admin&#039; AND 1=(SELECT CASE WHEN (1=1) THEN 1 ELSE 0 END FROM dual) AND &#039;1&#039;=&#039;1&amp;password=<\/code><\/pre>\n<p>In this example, the attacker is attempting to log in using the &#8216;admin&#8217; username. The SQL statement following the username is a conditional statement that will always evaluate to true (1=1). If the application is vulnerable, it will process this statement as part of the SQL query, potentially <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-47294-critical-vulnerability-in-ncr-terminal-handler-v1-5-1-allows-user-account-manipulation\/\"  data-wpil-monitor-id=\"63767\">allowing the attacker to log in as the &#8216;admin&#8217; user<\/a>.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p>The vendor has yet to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-35115-critical-system-package-download-vulnerability-in-agiloft-release-28\/\"  data-wpil-monitor-id=\"85331\">release a patch for this vulnerability<\/a>. Until a patch is available, it is recommended that organizations use a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) as a temporary mitigation. These <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2021-41691-sql-injection-vulnerability-in-os4ed-open-source-information-system-community\/\"  data-wpil-monitor-id=\"64151\">systems can help detect and block SQL Injection<\/a> attacks.<br \/>\nRemember that while WAFs and IDS systems serve as good temporary solutions, they are not substitutes for secure coding practices. Always sanitize and validate user inputs to prevent <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2015-0842-an-inside-view-on-yubiserver-sql-injection-vulnerability\/\"  data-wpil-monitor-id=\"65136\">SQL Injection<\/a> attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The world of cybersecurity has once again been faced with a critical vulnerability, this time in the Eron Software Wowwo CRM. Identified as CVE-2024-12150, this vulnerability leverages the infamous SQL Injection attack vector, with a specific emphasis on Blind SQL Injection. With a CVSS Severity Score of 9.8, the flaw is a serious threat [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[74],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-57131","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-sql-injection"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/57131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=57131"}],"version-history":[{"count":9,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/57131\/revisions"}],"predecessor-version":[{"id":78124,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/57131\/revisions\/78124"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=57131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=57131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=57131"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=57131"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=57131"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=57131"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=57131"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=57131"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=57131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}