CVE-2024-9322
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Summary
A critical vulnerability has been discovered in Supply Chain Management version 1.0 developed by Anisha. The vulnerability affects an unknown function in the file /admin/edit_manufacturer.php. The issue allows for SQL injection through the manipulation of the 'id' parameter. This vulnerability can be exploited remotely without requiring user interaction or privileges.
Impact
This SQL injection vulnerability could allow attackers to execute unauthorized SQL commands on the backend database. Potential impacts include: 1. Unauthorized access to sensitive data stored in the database. 2. Modification or deletion of database contents, compromising data integrity. 3. Potential escalation of privileges within the application. 4. In severe cases, attackers might gain control over the database server or execute commands on the hosting system. Given the CVSS v3.1 base score of 9.8 (Critical), this vulnerability has high impacts on confidentiality, integrity, and availability of the system.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
As of the provided information, there is no mention of an available patch for this vulnerability in Supply Chain Management 1.0.
Mitigation
While awaiting a patch, consider the following mitigation strategies: 1. Implement strong input validation and sanitization for all user inputs, especially the 'id' parameter in /admin/edit_manufacturer.php. 2. Use parameterized queries or prepared statements instead of dynamic SQL to prevent SQL injection. 3. Apply the principle of least privilege to database accounts used by the application. 4. Implement web application firewalls (WAF) to detect and block SQL injection attempts. 5. Regularly audit and monitor database activities for any suspicious queries or unauthorized access attempts. 6. If possible, temporarily disable or restrict access to the affected functionality until a patch is available.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
Feedly found the first article mentioning CVE-2024-9322. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-9322
A CVSS base score of 6.3 has been assigned.
EPSS Score was set to: 0.05% (Percentile: 16.3%)
A CVSS base score of 9.8 has been assigned.