CVE-2024-48579

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 25, 2024 / Updated: 25d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request.

Impact

This vulnerability has a severe impact potential. It allows remote attackers to execute arbitrary code on the affected system, which can lead to complete system compromise. The attacker can potentially gain unauthorized access to sensitive data, modify or delete information, and potentially take control of the entire system. Given that the vulnerability is in the login request, it could be exploited before authentication, increasing its severity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch. The affected software is Best House rental management system project in php v.1.0, and users should monitor for updates from the vendor Mayurik.

Mitigation

1. Implement input validation and sanitization for all user inputs, especially the username parameter in the login request. 2. Use prepared statements or parameterized queries for database interactions to prevent SQL injection. 3. Apply the principle of least privilege to database accounts used by the application. 4. Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts. 5. Regularly update and patch the Best House rental management system as soon as fixes become available. 6. Consider implementing multi-factor authentication to add an extra layer of security to the login process. 7. Monitor system logs for any suspicious activities or unauthorized access attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48579

Oct 25, 2024 at 4:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48579. See article

Oct 25, 2024 at 4:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 25, 2024 at 4:24 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 25, 2024 at 8:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 26, 2024 at 9:53 AM
Static CVE Timeline Graph

Affected Systems

Mayurik/best_house_rental_management_system
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

News

CVE Alert: CVE-2024-48579
Everyone that supports the site helps enable new functionality. CVSS v3 Score: 9.8 (Critical)
CVE-2024-48579
Critical Severity Description SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request. Read more at https://www.tenable.com/cve/CVE-2024-48579
NA - CVE-2024-48579 - SQL Injection vulnerability in Best House...
SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request.
CVE-2024-48579 | Best House Rental Management System 1.0 Login username sql injection
A vulnerability was found in Best House Rental Management System 1.0 . It has been rated as critical . This issue affects some unknown processing of the component Login . The manipulation of the argument username leads to sql injection. The identification of this vulnerability is CVE-2024-48579 . The attack may be initiated remotely. There is no exploit available.
CVE-2024-48579
SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI