Remote SQL Injection Vulnerability in Codezips E-Commerce Website
CVE-2024-12884

9.8CRITICAL

Key Information:

Vendor

Codezips

Status
E-commerce Website
Vendor
CVE Published:
21 December 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-12884?

CVE-2024-12884 is a critical SQL injection vulnerability identified in the Codezips E-Commerce Website version 1.0. It specifically affects the '/login.php' file, where improper handling of the 'email' argument can lead to SQL injection attacks. This vulnerability allows attackers to execute arbitrary SQL queries on the database, potentially exposing sensitive user information or compromising the integrity of the application. Given that the attack can be launched remotely, it poses a significant risk to the security of any instance of this web application. Users are advised to immediately apply available patches or mitigate potential exploitation by implementing best security practices.

Affected Version(s)

E-Commerce Website 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-12884 - Proof of Concept

References

https://vuldb.com/?id.289142
vdb-entrytechnical-description
https://vuldb.com/?ctiid.289142
signaturepermissions-required
https://vuldb.com/?submit.466519
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

geochen (VulDB User)
.