SQL Injection Vulnerability in EGavilan Media's Address Book Product
CVE-2020-29474

9.8CRITICAL

Key Information:

Vendor: Egavilanmedia
Status: Egm Address Book
Vendor: CVE Published:; 24 December 2020

🔔 Create Egavilanmedia Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-29474?

EGavilan Media's Address Book version 1.0 is susceptible to a SQL injection flaw, allowing attackers to manipulate SQL queries to gain unauthorized access to the Admin Panel. By executing crafted SQL statements, threat actors can potentially perform remote arbitrary code execution, posing significant risks to data integrity and system security. Users are advised to apply security patches and follow best practices to mitigate the influence of this vulnerability.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-29474 - Proof of Concept

References

https://www.exploit-db.com/exploits/49182

x_refsource_MISC

https://systemweakness.com/cve-2020-29474-egavilanmedia-a...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Dec 24, 2020
👾
Exploit known to exist
Dec 24, 2020
Vulnerability published
Dec 24, 2020
Vulnerability Reserved
Dec 2, 2020

CVE-2020-29474 Data

JSON