FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-9085

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 22, 2024 / Updated: 58d ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in code-projects Restaurant Reservation System version 1.0. The issue affects the processing of the file index.php, where manipulation of the 'date' argument can lead to SQL injection. This vulnerability can be exploited remotely without requiring user interaction or privileges.

Impact

The impact of this vulnerability is severe, with potential for high levels of compromise in confidentiality, integrity, and availability of the affected system. Attackers could potentially: 1. Access, modify, or delete sensitive data in the database 2. Execute unauthorized database commands 3. Bypass authentication mechanisms 4. Escalate privileges within the application 5. Potentially gain control over the underlying server The CVSS v3.1 base score of 9.8 (Critical) indicates that this vulnerability poses a significant risk to the organization if left unaddressed.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability. The affected version is Restaurant Reservation System 1.0, and users should monitor for updates from code-projects for a patched version.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Implement input validation and sanitization for all user inputs, especially the 'date' parameter in index.php. 2. Use parameterized queries or prepared statements to prevent SQL injection. 3. Apply the principle of least privilege to database accounts used by the application. 4. Enable SQL query logging and monitor for suspicious activities. 5. Consider temporarily disabling the affected functionality if possible without disrupting critical business operations. 6. Implement a Web Application Firewall (WAF) to filter out malicious requests. 7. Regularly update and patch the underlying server and database systems. 8. Conduct a thorough security review of the application to identify and address any similar vulnerabilities.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9085

Sep 22, 2024 at 8:15 AM
CVSS

A CVSS base score of 7.3 has been assigned.

Sep 22, 2024 at 8:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9085. See article

Sep 22, 2024 at 8:24 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 22, 2024 at 8:24 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 23, 2024 at 9:27 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Sep 27, 2024 at 4:20 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 27, 2024 at 7:12 PM
Static CVE Timeline Graph

Affected Systems

Code-projects/restaurant_reservation_system
+null more

Exploits

https://github.com/ppp-src/a/issues/18
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9085 Exploit
inTheWild.io Exploits / 53d
CVE Id : CVE-2024-9085 Published Date: 2024-09-27T16:19:00+00:00 A vulnerability was found in code-projects Restaurant Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file index.php. The manipulation of the argument date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions sid as affected paramater which is incorrect. inTheWild added a link to an exploit:
CVE Alert: CVE-2024-9085 - https://www.redpacketsecurity.com/cve_alert_cve-2024-9085/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_9085
RedPacket Security / @RedPacketSec / 57d
CVE Alert: CVE-2024-9085 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_9085
#threatintel / 58d
CVE Alert: CVE-2024-9085 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9085/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9085
CVE-2024-9085
Newest CVEs from Tenable / 58d
High Severity Description A vulnerability was found in code-projects Restaurant Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file index.php. The manipulation of the argument date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions sid as affected paramater which is incorrect. Read more at https://www.tenable.com/cve/CVE-2024-9085
CVE-2024-9085 - Exploits & Severity - Feedly
Google Alert - feedly / 58d
The initial researcher advisory mentions sid as affected paramater which is incorrect. A CVSS base score of 7.3 has been assigned.
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.8(27010)CWE-89(13175)Code-projects(118)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial