Exploit
CVE-2024-9093

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 23, 2024 / Updated: 58d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in SourceCodester Profile Registration without Reload Refresh 1.0. The vulnerability affects an unknown part of the file del.php, specifically in the GET Parameter Handler component. This vulnerability allows for SQL injection through manipulation of the argument list.

Impact

This SQL injection vulnerability can have severe consequences. Attackers can potentially: 1. Execute unauthorized database queries, potentially leading to data theft or manipulation. 2. Bypass authentication mechanisms. 3. Elevate privileges within the application. 4. Potentially execute commands on the underlying operating system in some cases. The vulnerability has a high impact on confidentiality, integrity, and availability of the system.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no mention of an available patch for this vulnerability in SourceCodester Profile Registration without Reload Refresh 1.0.

Mitigation

While no specific patch is mentioned, consider the following mitigation strategies: 1. Implement input validation and sanitization for all user inputs, especially those used in database queries. 2. Use parameterized queries or prepared statements instead of dynamic SQL. 3. Apply the principle of least privilege to database accounts used by the application. 4. Consider using a Web Application Firewall (WAF) to help detect and block SQL injection attempts. 5. Regularly update and patch the SourceCodester Profile Registration without Reload Refresh software when updates become available. 6. If possible, temporarily disable or restrict access to the vulnerable del.php file until a patch is available.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9093. See article

Sep 23, 2024 at 12:42 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 23, 2024 at 12:42 AM
CVE Assignment

NVD published the first details for CVE-2024-9093

Sep 23, 2024 at 1:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Sep 23, 2024 at 1:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 23, 2024 at 9:27 AM
CVSS

A CVSS base score of 7.2 has been assigned.

Sep 27, 2024 at 4:30 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 27, 2024 at 7:12 PM
Static CVE Timeline Graph

Affected Systems

Rems/profile_registration_without_reload\/refresh
+null more

Exploits

https://github.com/jadu101/CVE/blob/main/SourceCodester_Profile_Registration_without_Reload_Refresh_1.0_SQLi.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9093 Exploit
CVE Id : CVE-2024-9093 Published Date: 2024-09-27T16:26:00+00:00 A vulnerability classified as critical has been found in SourceCodester Profile Registration without Reload Refresh 1.0. This affects an unknown part of the file del.php of the component GET Parameter Handler. The manipulation of the argument list leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/jadu101/CVE/blob/main/SourceCodester_Profile_Registration_without_Reload_Refresh_1.0_SQLi.md
CVE Alert: CVE-2024-9093 - https://www.redpacketsecurity.com/cve_alert_cve-2024-9093/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_9093
CVE Alert: CVE-2024-9093 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_9093
CVE Alert: CVE-2024-9093 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9093/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9093
CVE-2024-9093
Medium Severity Description A vulnerability classified as critical has been found in SourceCodester Profile Registration without Reload Refresh 1.0. This affects an unknown part of the file del.php of the component GET Parameter Handler. The manipulation of the argument list leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9093
NA - CVE-2024-9093 - A vulnerability classified as critical has been...
A vulnerability classified as critical has been found in SourceCodester Profile Registration without Reload Refresh 1.0. This affects an unknown part of the file del.php of the component GET...
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI