SQL Injection Vulnerability in itsourcecode Document Management System
CVE-2024-6014

9.8CRITICAL

Key Information:

Vendor
Itsourcecode
Status
Document Management System
Vendor
CVE Published:
15 June 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A significant SQL injection vulnerability has been identified in the itsourcecode Document Management System version 1.0, particularly affecting the edithis.php file. This flaw enables attackers to manipulate the 'id' parameter, potentially allowing them to execute unauthorized SQL commands on the backend database. The nature of this exploitation permits remote execution of attacks, making it critical for organizations utilizing this software to take immediate action. The vulnerability has been publicly disclosed, and its implications could lead to severe data breaches, unauthorized data manipulation, and system compromise. It is crucial for users to apply available patches or implement mitigations to secure their installations.

Affected Version(s)

Document Management System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-6014 - Proof of Concept

References

https://vuldb.com/?id.268722
vdb-entrytechnical-description
https://vuldb.com/?ctiid.268722
signaturepermissions-required
https://vuldb.com/?submit.357246
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

momo2024 (VulDB User)
.