Exploit
CVE-2024-9905

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 13, 2024 / Updated: 38d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in SourceCodester Online Eyewear Shop version 1.0. The issue affects the processing of the file /admin/?page=inventory/view_inventory&id=2. Manipulation of the 'id' argument can lead to SQL injection. This vulnerability can be exploited remotely.

Impact

This SQL injection vulnerability could allow attackers to execute arbitrary SQL commands on the backend database. Potential impacts include: 1. Unauthorized access to sensitive data stored in the database 2. Modification or deletion of database contents 3. Potential escalation of privileges within the application 4. In severe cases, possible execution of commands on the hosting server Given the CVSS v3.1 score of 8.8 (Critical) and impacts rated as HIGH for confidentiality, integrity, and availability, this vulnerability poses a significant risk to the affected systems.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability in SourceCodester Online Eyewear Shop 1.0.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Implement input validation and sanitization for all user inputs, especially the 'id' parameter in the affected file. 2. Use parameterized queries or prepared statements to prevent SQL injection. 3. Apply the principle of least privilege to the database user used by the application. 4. Consider temporarily disabling access to the affected admin page if possible. 5. Monitor for any suspicious activities or unauthorized access attempts. 6. Keep the SourceCodester Online Eyewear Shop software and all related components up to date. 7. Implement a Web Application Firewall (WAF) to help filter out malicious requests.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9905. See article

Oct 13, 2024 at 2:47 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 13, 2024 at 2:48 AM
CVE Assignment

NVD published the first details for CVE-2024-9905

Oct 13, 2024 at 3:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 13, 2024 at 3:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 13, 2024 at 12:22 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 16, 2024 at 10:15 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 17, 2024 at 1:10 AM
Static CVE Timeline Graph

Affected Systems

Oretnom23/online_eyewear_shop
+null more

Exploits

https://gist.github.com/higordiego/8679961c9d732e4068aaa37fd8d01439
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9905 Exploit
CVE Id : CVE-2024-9905 Published Date: 2024-10-16T22:12:00+00:00 A vulnerability, which was classified as critical, has been found in SourceCodester Online Eyewear Shop 1.0. This issue affects some unknown processing of the file /admin/?page=inventory/view_inventory&id=2. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://gist.github.com/higordiego/8679961c9d732e4068aaa37fd8d01439
CVE Alert: CVE-2024-9905 - https://www.redpacketsecurity.com/cve_alert_cve-2024-9905/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_9905
CVE Alert: CVE-2024-9905 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_9905
CVE Alert: CVE-2024-9905 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9905/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9905
CVE Alert: CVE-2024-9905
Affected Endpoints: No affected endpoints listed.
CVE-2024-9905
Medium Severity Description A vulnerability, which was classified as critical, has been found in SourceCodester Online Eyewear Shop 1.0. This issue affects some unknown processing of the file /admin/?page=inventory/view_inventory&id=2. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9905
See 11 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI