SQL Injection Vulnerability in Hitout Carsale Product
CVE-2024-6438

6.5MEDIUM

Key Information:

Vendor: Hitout Carsale
Status: Carsale
Vendor: CVE Published:; 2 July 2024

Summary

A significant SQL injection vulnerability has been identified in Hitout Carsale version 1.0. The affected component is the OrderController.java file, where manipulation of the 'orderBy' argument can lead to unauthorized SQL code execution. This vulnerability can be exploited remotely, allowing attackers to compromise the application without needing direct physical access. Given the public disclosure of this exploit, it's critical for organizations using this software to implement immediate security measures to safeguard their data and systems from potential attacks.

References

https://vuldb.com/?id.270166

https://vuldb.com/?ctiid.270166

https://vuldb.com/?submit.366239

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 2, 2024