Exploit
CVE-2024-9081

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 22, 2024 / Updated: 58d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in SourceCodester Online Eyewear Shop 1.0. The vulnerability affects an unknown functionality in the file view_category.php. By manipulating the 'id' argument, an attacker can perform SQL injection. This attack can be launched remotely, and the exploit has been publicly disclosed.

Impact

This SQL injection vulnerability allows attackers to potentially access, modify, or delete sensitive information in the database. Given the CVSS v3.1 score of 7.5 (High) and the confidentiality impact rated as "HIGH", it's likely that attackers could retrieve sensitive customer data, including personal information and potentially payment details. The integrity and availability of the system don't seem to be directly impacted, but the compromised data could lead to further attacks or reputational damage.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch for this vulnerability.

Mitigation

1. Implement input validation and sanitization for all user inputs, especially the 'id' parameter in view_category.php. 2. Use parameterized queries or prepared statements to prevent SQL injection. 3. Apply the principle of least privilege to database accounts used by the application. 4. Regularly update and patch the Online Eyewear Shop software as fixes become available. 5. Implement web application firewall (WAF) rules to detect and block SQL injection attempts. 6. Conduct a thorough code review of the entire application to identify and fix similar vulnerabilities. 7. Monitor database activity for any suspicious queries or unauthorized access attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9081. See article

Sep 22, 2024 at 7:03 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 22, 2024 at 7:04 AM
CVE Assignment

NVD published the first details for CVE-2024-9081

Sep 22, 2024 at 7:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Sep 22, 2024 at 7:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 23, 2024 at 10:47 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Sep 27, 2024 at 4:20 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 27, 2024 at 7:12 PM
Static CVE Timeline Graph

Affected Systems

Oretnom23/online_eyewear_shop
+null more

Exploits

https://github.com/41lai/cve/blob/main/sql.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9081 Exploit
CVE Id : CVE-2024-9081 Published Date: 2024-09-27T16:17:00+00:00 A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file view_category.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/41lai/cve/blob/main/sql.md
CVE Alert: CVE-2024-9081 - https://www.redpacketsecurity.com/cve_alert_cve-2024-9081/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_9081
CVE Alert: CVE-2024-9081 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_9081
CVE Alert: CVE-2024-9081 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9081/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9081
CVE-2024-9081
Medium Severity Description A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file view_category.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9081
NA - CVE-2024-9081 - A vulnerability was found in SourceCodester...
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file view_category.php. The...
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI