Exploit
CVE-2024-9973

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 5.3EPSS 0.06%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in SourceCodester Online Eyewear Shop version 1.0. The issue affects an unknown function in the Report Viewing Page component, specifically in the file /admin/?page=reports. The vulnerability allows for SQL injection through the manipulation of the 'date' argument. This vulnerability can be exploited remotely without requiring user interaction or special privileges.

Impact

Successful exploitation of this SQL injection vulnerability could lead to unauthorized access to the database, potentially allowing attackers to read, modify, or delete sensitive data. Given the critical nature of the vulnerability, attackers could potentially gain full control over the database, compromising the confidentiality, integrity, and availability of the system. This could result in data theft, unauthorized modifications to the database, or even complete system compromise.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no mention of an available patch for this vulnerability. Users of SourceCodester Online Eyewear Shop 1.0 should be on high alert and consider alternative mitigation strategies until a patch is released.

Mitigation

While waiting for an official patch, consider the following mitigation steps: 1. Implement strong input validation and sanitization for all user inputs, especially for the 'date' parameter in the affected file. 2. Use parameterized queries or prepared statements to prevent SQL injection attacks. 3. Apply the principle of least privilege to database accounts used by the application. 4. Monitor and log all activities on the affected system, particularly those related to the Report Viewing Page. 5. Consider temporarily disabling the affected functionality if it's not critical to operations. 6. Implement a Web Application Firewall (WAF) to help filter out malicious requests. 7. Regularly update and patch the application as soon as fixes become available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9973. See article

Oct 15, 2024 at 9:40 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 9:40 AM
CVE Assignment

NVD published the first details for CVE-2024-9973

Oct 15, 2024 at 10:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 15, 2024 at 10:20 AM / nvd
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 15, 2024 at 7:30 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 15, 2024 at 9:10 PM
Threat Intelligence Report

CVE-2024-9973 is a critical SQL injection vulnerability in SourceCodester Online Eyewear Shop version 1.0, allowing remote exploitation through the manipulation of the 'date' argument, with a CVSS score of 9.8 assigned. While a proof-of-concept exploit is available, there is currently no patch, and users are advised to implement strong input validation, use parameterized queries, and monitor system activities as mitigation strategies. The vulnerability poses significant risks, including unauthorized access to sensitive data and potential system compromise. See article

Oct 15, 2024 at 11:50 PM
EPSS

EPSS Score was set to: 0.06% (Percentile: 27.9%)

Oct 16, 2024 at 11:01 AM
Static CVE Timeline Graph

Affected Systems

Oretnom23/online_eyewear_shop
+null more

Exploits

https://gist.github.com/higordiego/b9699573de61b26f2290e69f38d23fd0
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Update Wed Oct 16 14:41:55 UTC 2024
Update Wed Oct 16 14:41:55 UTC 2024
CVE-2024-9973 Exploit
CVE Id : CVE-2024-9973 Published Date: 2024-10-15T19:27:00+00:00 A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/?page=reports of the component Report Viewing Page. The manipulation of the argument date leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://gist.github.com/higordiego/b9699573de61b26f2290e69f38d23fd0
NA - CVE-2024-9973 - A vulnerability was found in SourceCodester...
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/?page=reports of the component Report...
CVE-2024-9973
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Remote SQL Injection Vulnerability in SourceCodester Online Eyewear Shop Report Viewing Page
Sourcecodester - MEDIUM - CVE-2024-9973 A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/?page=reports of the component Report Viewing Page. The manipulation of the argument date leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI