Exploit
CVE-2024-9090

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 23, 2024 / Updated: 58d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in the SourceCodester Modern Loan Management System version 1.0. The vulnerability affects an unknown function in the file search_member.php. The issue stems from improper input validation, allowing for SQL injection attacks through the manipulation of the 'searchMember' parameter.

Impact

This vulnerability could allow an attacker to execute arbitrary SQL commands on the backend database. Given its critical nature, potential impacts include: 1. Unauthorized access to sensitive data: An attacker could potentially retrieve, modify, or delete confidential information stored in the database, such as customer financial records or loan details. 2. Data integrity compromise: Malicious SQL commands could be used to alter or corrupt database records, potentially affecting the integrity of loan management data. 3. System compromise: In some cases, SQL injection can be leveraged to execute system commands, potentially leading to full system compromise. 4. Service disruption: Malicious queries could be crafted to overload the database, potentially causing service outages or degraded performance of the loan management system.

Exploitation

One proof-of-concept exploit is available on shawroot.cc. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch for this vulnerability. Users of the SourceCodester Modern Loan Management System version 1.0 should contact the vendor for updates on when a security patch will be released.

Mitigation

Until a patch is available, the following mitigation steps are recommended: 1. Input validation: Implement strict input validation for all user-supplied data, especially in the search_member.php file. 2. Parameterized queries: Use parameterized SQL queries or prepared statements instead of direct string concatenation to prevent SQL injection. 3. Least privilege: Ensure that the database user account used by the application has minimal necessary privileges. 4. Web Application Firewall (WAF): Deploy a WAF to help detect and block SQL injection attempts. 5. Regular security audits: Conduct thorough code reviews and security assessments to identify and address similar vulnerabilities. 6. Network segmentation: Isolate the affected system from critical network segments to limit potential damage in case of a successful exploit. 7. Monitor for suspicious activity: Implement logging and monitoring solutions to detect potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9090. See article

Sep 22, 2024 at 11:39 PM / Vulnerability Database 🛡
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 22, 2024 at 11:41 PM
CVE Assignment

NVD published the first details for CVE-2024-9090

Sep 23, 2024 at 12:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Sep 23, 2024 at 12:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 23, 2024 at 9:27 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Sep 27, 2024 at 4:25 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 27, 2024 at 7:12 PM
Static CVE Timeline Graph

Affected Systems

Mayurik/modern_loan_management_system
+null more

Exploits

https://www.shawroot.cc/2810.html
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Vulnerability Summary for the Week of September 23, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Dover Fueling Solutions (DFS)–ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-43693 ics-cert@hq.dhs.gov Dover Fueling Solutions (DFS)–ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-45066 ics-cert@hq.dhs.gov webdevmattcrom–GiveWP Donation Plugin and Fundraising Platform The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like ‘give_title’ and ‘card_address’. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2. 2024-09-28 10 CVE-2024-8353 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com Scriptcase–Scriptcase Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input. 2024-09-25 10 CVE-2024-8940 cve-coordination@incibe.es n/a–n/a File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
Vulnerability Summary for the Week of September 23, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Dover Fueling Solutions (DFS)--ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE UTILITY sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-43693 ics-cert@hq.dhs.gov Dover Fueling Solutions (DFS)--ProGauge MAGLINK LX CONSOLE A specially crafted POST request to the ProGauge MAGLINK LX CONSOLE IP sub-menu can allow a remote attacker to inject arbitrary commands. 2024-09-25 10 CVE-2024-45066 ics-cert@hq.dhs.gov webdevmattcrom--GiveWP Donation Plugin and Fundraising Platform The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check to be bypassed. This issue was mostly patched in 3.16.1, but further hardening was added in 3.16.2. 2024-09-28 10 CVE-2024-8353 security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com security@wordfence.com Scriptcase--Scriptcase Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly verifying user input. 2024-09-25 10 CVE-2024-8940 cve-coordination@incibe.es n/a--n/a File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop.
CVE-2024-9090 Exploit
CVE Id : CVE-2024-9090 Published Date: 2024-09-27T16:22:00+00:00 A vulnerability was found in SourceCodester Modern Loan Management System 1.0. It has been classified as critical. Affected is an unknown function of the file search_member.php. The manipulation of the argument searchMember leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://www.shawroot.cc/2810.html
CVE Alert: CVE-2024-9090 - https://www.redpacketsecurity.com/cve_alert_cve-2024-9090/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_9090
CVE Alert: CVE-2024-9090 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_9090
CVE Alert: CVE-2024-9090
Everyone that supports the site helps enable new functionality. Affected Endpoints:
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI