SQL Injection Vulnerability in Guangzhou Tuchuang Computer Software Development Interlib Library Cluster Automation Management System
CVE-2024-10947

7.2HIGH

Key Information:

Vendor

Guangzhou Tuchuang Computer Software Development

Status
Interlib Library Cluster Automation Management System
Vendor
CVE Published:
7 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-10947?

A significant SQL injection vulnerability has been identified in the Interlib Library Cluster Automation Management System by Guangzhou Tuchuang, specifically affecting versions up to 2.0.1. The vulnerability resides in the 'BatchOrder' file, where improper handling of the 'bookrecno' argument allows attackers to manipulate SQL queries, leading to unauthorized data access. This issue can be exploited remotely without authentication, heightening its threat level. The vendor was contacted regarding this critical issue but has not responded, leaving users vulnerable to potential exploitation.

Affected Version(s)

Interlib Library Cluster Automation Management System 2.0.0

Interlib Library Cluster Automation Management System 2.0.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10947 - Proof of Concept

References

https://vuldb.com/?id.283366
vdb-entrytechnical-description
https://vuldb.com/?ctiid.283366
signaturepermissions-required
https://vuldb.com/?submit.434450
third-party-advisory

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

wiki (VulDB User)
.