SQL Injection Vulnerability in SiAdmin 1.1 Allows Remote Attackers to Steal Sensitive Information
CVE-2024-4991

9.8CRITICAL

Key Information:

Vendor: Siadmin
Status: Siadmin
Vendor: CVE Published:; 16 May 2024

What is CVE-2024-4991?

A vulnerability exists in SiAdmin version 1.1 that permits SQL injection through inadequate validation of user input in the /modul/mod_pass/aksi_pass.php endpoint. Attackers can exploit this flaw by crafting malicious SQL queries to manipulate the application's database. This could lead to unauthorized access to sensitive data, including user credentials and personal information stored in the database. Proper input sanitization and validation measures are essential to mitigate this risk and protect user data.

Affected Version(s)

SiAdmin 1.1

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
May 16, 2024

Credit

Rafael Pedrero

Siadmin

What is CVE-2024-4991?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit