CVE-2024-9921 (CVSS 9.8): Critical Flaw Found in Popular Business Collaboration Tool Team+
In a recent vulnerability note issued by TWCERT/CC (Taiwan Computer Emergency Response Team / Coordination Center), three significant security vulnerabilities have been identified in Team+, a popular secure communication and collaboration platform developed by TEAMPLUS TECHNOLOGY. These vulnerabilities, if left unpatched, could allow attackers to gain unauthorized access to sensitive data, manipulate files, and exploit backend systems. With the severity of these flaws, businesses relying on Team+ must act quickly to ensure they are protected.
Team+, known for its secure, private cloud-based structure and robust features like instant messaging and video conferencing, has become a staple for businesses seeking to streamline communication and collaboration.
SQL Injection Opens Door to Database Mayhem (CVE-2024-9921)
The most severe vulnerability, identified as CVE-2024-9921 and assigned a critical CVSS score of 9.8, allows unauthenticated attackers to inject malicious SQL commands. Due to improper validation of specific page parameters, unauthenticated attackers can inject arbitrary SQL commands. This means that a malicious actor could read, modify, or delete database contents. Exploiting this vulnerability could lead to unauthorized access to sensitive company data, including confidential communications, user credentials, and files stored within the platform.
Path Traversal Vulnerabilities Expose System Files (CVE-2024-9922 & CVE-2024-9923)
Two further vulnerabilities, CVE-2024-9922 and CVE-2024-9923, exploit path traversal weaknesses. CVE-2024-9922 (CVSS 7.5) allows unauthenticated attackers to read arbitrary system files, potentially exposing confidential configurations or sensitive system information. CVE-2024-9923 (CVSS 4.9), while requiring administrator privileges, enables attackers to move arbitrary system files to the website’s root directory, making them accessible to the outside world.
Urgent Action Required: Update to v14.0.0 or Later
TEAMPLUS TECHNOLOGY has addressed these vulnerabilities in version 14.0.0 and later. TWCERT/CC strongly urges all Team+ users running version 13.5.x to update their systems immediately to mitigate these critical security risks.
