Exploit
CVE-2024-9918

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 13, 2024 / Updated: 37d ago

010
CVSS 5.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in HuangDou UTCMS V9, specifically affecting the RunSql function in the file app/modules/ut-data/admin/sql.php. This vulnerability allows for SQL injection through the manipulation of the 'sql' argument. The attack can be initiated remotely and does not require user interaction.

Impact

This SQL injection vulnerability can have severe consequences. Given the CVSS v3.1 score of 7.2 (High) and the fact that confidentiality, integrity, and availability impacts are all rated as HIGH, successful exploitation could lead to: 1. Unauthorized access to sensitive data in the database 2. Modification or deletion of database contents 3. Potential execution of arbitrary commands on the database server 4. Possible escalation of privileges within the application or underlying system The attack vector being NETWORK means it can be exploited remotely, increasing the potential attack surface.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, no specific patch has been mentioned. The vendor (HuangDou) was contacted about this disclosure but did not respond, suggesting that a patch may not be immediately available. Users of UTCMS V9 should monitor for updates from the vendor and consider alternative mitigation strategies in the meantime.

Mitigation

Given the criticality of the vulnerability and the lack of a vendor-provided patch, the following mitigation steps are recommended: 1. Implement strict input validation and sanitization for all user inputs, especially those that interact with the RunSql function. 2. Use parameterized queries or prepared statements instead of dynamic SQL construction. 3. Apply the principle of least privilege to database accounts used by the application. 4. Consider implementing a Web Application Firewall (WAF) to help detect and block SQL injection attempts. 5. Regularly audit and monitor database activities for any suspicious queries or unauthorized access attempts. 6. If possible, consider temporarily disabling or restricting access to the affected RunSql function until a proper fix is available. 7. Keep the UTCMS software and all associated components up to date with the latest security patches. 8. Conduct a thorough security assessment of the entire application to identify and address any similar vulnerabilities.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9918

Oct 13, 2024 at 8:15 PM
First Article

Feedly found the first article mentioning CVE-2024-9918. See article

Oct 13, 2024 at 8:16 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 13, 2024 at 8:16 PM
CVSS

A CVSS base score of 4.7 has been assigned.

Oct 13, 2024 at 8:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 14, 2024 at 9:47 AM
CVSS

A CVSS base score of 7.2 has been assigned.

Oct 19, 2024 at 12:50 AM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 19, 2024 at 6:11 AM
Static CVE Timeline Graph

Affected Systems

Usualtool/usualtoolcms
+null more

Exploits

https://github.com/DeepMountains/zzz/blob/main/CVE5-3.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

National Institute of Standards and Technology (.gov) - NVD - Home
CVE-2024-9968 - WebEIP v3.0 from NewType does not properly validate user input, allowing remote attackers with regular privilege to inject SQL commands to read, modify, and delete data stored in database. CVE-2024-9969 - NewType WebEIP v3.0 does not properly validate user input, allowing a remote attacker with regular privileges to insert JavaScript into specific parameters, resulting in a Reflected Cross-site Scripting (XSS) attack.
CVE-2024-9918 Exploit
CVE Id : CVE-2024-9918 Published Date: 2024-10-19T00:47:00+00:00 A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/sql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. inTheWild added a link to an exploit: https://github.com/DeepMountains/zzz/blob/main/CVE5-3.md
Update Wed Oct 16 14:41:55 UTC 2024
Update Wed Oct 16 14:41:55 UTC 2024
US-CERT Vulnerability Summary for the Week of October 7, 2024
ABB–RobotWare 6 An attacker who successfully exploited these vulnerabilities could cause the robot to stop. A vulnerability exists in the PROFINET stack included in the RobotWare versions listed below. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions. * IRC5- RobotWare 6 2024-10-10 5.1 CVE-2024-6157 [email protected] adamskaat–Read more By Adam The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons. 2024-10-12 4.3 CVE-2024-9187 [email protected] [email protected] adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 5.5 CVE-2024-47419 [email protected] adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR.
CVE-2024-9918
Medium Severity Description A vulnerability has been found in HuangDou UTCMS V9 and classified as critical. This vulnerability affects the function RunSql of the file app/modules/ut-data/admin/sql.php. The manipulation of the argument sql leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Read more at https://www.tenable.com/cve/CVE-2024-9918
See 13 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI