Vulnerability in AMTT Hotel Broadband Operation System Could Lead to Remote SQL Injection
CVE-2024-11051

8.8HIGH

Key Information:

Vendor
Amtt
Status
Hotel Broadband Operation System
Vendor
CVE Published:
10 November 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A vulnerability exists in the AMTT Hotel Broadband Operation System, specifically in the online_status.php file located within the manager's front desk operations. Through inadequate validation of the AccountID argument, this flaw enables remote attackers to execute SQL injection attacks. The manipulation of this parameter can facilitate unauthorized data access or alteration, posing a significant security concern. Although the vendor has been informed about this issue, there has been no response, raising concerns regarding the potential exploitation of this vulnerability.

Affected Version(s)

Hotel Broadband Operation System 3.0.3.151204

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-11051 - Proof of Concept

References

https://vuldb.com/?id.283794
vdb-entrytechnical-description
https://vuldb.com/?ctiid.283794
signaturepermissions-required
https://vuldb.com/?submit.432691
third-party-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

wiki (VulDB User)
.