SQL Injection Vulnerability in SiAdmin 1.1 Allows Remote Attackers to Steal Sensitive Information
CVE-2024-4992

9.8CRITICAL

Key Information:

Vendor: Siadmin
Status: Siadmin
Vendor: CVE Published:; 16 May 2024

What is CVE-2024-4992?

A vulnerability exists in SiAdmin 1.1 that permits SQL injection through the 'nim' parameter in the /modul/mod_kuliah/aksi_kuliah.php endpoint. This security flaw allows a remote attacker to execute specially crafted SQL commands, potentially exposing all data stored within the application. If exploited, this could lead to unauthorized access to sensitive user information, making it critical for users to apply the necessary security measures.

Affected Version(s)

SiAdmin 1.1

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
May 16, 2024

Credit

Rafael Pedrero

Siadmin

What is CVE-2024-4992?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit