Exploit
CVE-2024-9808

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in SourceCodester Online Eyewear Shop version 1.0. The vulnerability affects an unknown function in the file /admin/?page=products/view_product. The issue allows for SQL injection through the manipulation of the 'id' argument. This vulnerability can be exploited remotely.

Impact

The primary impact of this vulnerability is on data confidentiality. Successful exploitation could lead to unauthorized access to sensitive information stored in the database. Given the CVSS v3.1 base score of 6.5 (Medium severity) and the confidentiality impact rated as HIGH, attackers could potentially extract, modify, or delete critical data from the affected system. This could result in significant data breaches, loss of customer trust, and potential legal and regulatory consequences.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability. Users of SourceCodester Online Eyewear Shop 1.0 should monitor for updates from the vendor and apply any security patches as soon as they become available.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Implement input validation and sanitization for all user-supplied data, especially the 'id' parameter in the affected file. 2. Use parameterized queries or prepared statements to prevent SQL injection attacks. 3. Apply the principle of least privilege to database accounts used by the application. 4. Consider implementing a Web Application Firewall (WAF) to filter malicious requests. 5. Regularly monitor and audit database access and activities for any suspicious behavior. 6. If possible, temporarily restrict access to the affected admin page or implement additional authentication measures.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9808. See article

Oct 10, 2024 at 9:25 AM / VulDB Updates
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 9:26 AM
CVE Assignment

NVD published the first details for CVE-2024-9808

Oct 10, 2024 at 8:15 PM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 10, 2024 at 8:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 15, 2024 at 7:20 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 15, 2024 at 9:10 PM
Static CVE Timeline Graph

Affected Systems

Oretnom23/online_eyewear_shop
+null more

Exploits

https://github.com/r1ckyL/cve/blob/main/sql.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI