Exploit
CVE-2024-9974

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 5.3EPSS 0.06%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in SourceCodester Online Eyewear Shop version 1.0. The vulnerability affects the POST Request Handler component, specifically in the file classes/Master.php?f=add_to_card. This flaw allows for SQL injection through the manipulation of the 'product_id' argument.

Impact

This SQL injection vulnerability can have severe consequences. An attacker can potentially: 1. Access, modify, or delete sensitive data in the database 2. Bypass authentication mechanisms 3. Execute administrative operations on the database 4. In some cases, issue commands to the operating system The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating maximum impact on confidentiality, integrity, and availability. It can be exploited remotely without requiring user interaction or special privileges.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of now, there is no information provided about an available patch for this vulnerability in SourceCodester Online Eyewear Shop 1.0.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Implement input validation and sanitization for all user inputs, especially the 'product_id' parameter. 2. Use parameterized queries or prepared statements instead of dynamic SQL queries. 3. Apply the principle of least privilege to database accounts used by the application. 4. Consider temporarily disabling the affected functionality if possible without disrupting critical business operations. 5. Monitor for any suspicious database activities or unexpected queries. 6. Keep the system isolated and limit network access to the vulnerable application. Given the critical nature of this vulnerability and the availability of a public exploit, prioritize this issue for immediate attention and remediation.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9974. See article

Oct 15, 2024 at 9:40 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 9:40 AM
CVE Assignment

NVD published the first details for CVE-2024-9974

Oct 15, 2024 at 10:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 15, 2024 at 10:20 AM / nvd
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 15, 2024 at 7:30 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 15, 2024 at 9:10 PM
EPSS

EPSS Score was set to: 0.06% (Percentile: 27.9%)

Oct 16, 2024 at 11:00 AM
Threat Intelligence Report

CVE-2024-9974 is a critical SQL injection vulnerability in SourceCodester Online Eyewear Shop version 1.0, with a CVSS score of 9.8, allowing attackers to access, modify, or delete sensitive database information. While a proof-of-concept exploit is available, there is currently no evidence of exploitation in the wild or an official patch. Mitigation strategies include input validation, using parameterized queries, and monitoring for suspicious database activities. See article

Oct 16, 2024 at 4:53 PM
Static CVE Timeline Graph

Affected Systems

Oretnom23/online_eyewear_shop
+null more

Exploits

https://gist.github.com/higordiego/2373b9e3e89f03e5f8888efd38eb4b48
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

CVE-2024-9974 - Exploits & Severity - Feedly
In some cases, issue commands to the operating system The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating maximum impact on confidentiality, integrity, and availability. As of now, there is no information provided about an available patch for this vulnerability in SourceCodester Online Eyewear Shop 1.0.

News

Update Wed Oct 16 14:41:55 UTC 2024
Update Wed Oct 16 14:41:55 UTC 2024
CVE-2024-9974 - Exploits & Severity - Feedly
In some cases, issue commands to the operating system The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), indicating maximum impact on confidentiality, integrity, and availability. As of now, there is no information provided about an available patch for this vulnerability in SourceCodester Online Eyewear Shop 1.0.
CVE-2024-9974 Exploit
CVE Id : CVE-2024-9974 Published Date: 2024-10-15T19:28:00+00:00 A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file classes/Master.php?f=add_to_card of the component POST Request Handler. The manipulation of the argument product_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://gist.github.com/higordiego/2373b9e3e89f03e5f8888efd38eb4b48
NA - CVE-2024-9974 - A vulnerability was found in SourceCodester...
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file...
CVE-2024-9974
Gravedad 3.1 (CVSS 3.1 Base Score) A vulnerability was found in SourceCodester Online Eyewear Shop 1.0.
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI