SQL Injection Vulnerability in Bylancer Quicklancer 2.4
CVE-2024-7188

9.8CRITICAL

Key Information:

Vendor

Bylancer

Status
Quicklancer
Vendor
CVE Published:
29 July 2024

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 86%

What is CVE-2024-7188?

A serious SQL injection vulnerability exists within Bylancer Quicklancer version 2.4, specifically affecting the GET Parameter Handler associated with the /listing functionality. This flaw allows attackers to manipulate the argument 'range2', leading to unauthorized SQL command execution on the underlying database. Since the vulnerability can be exploited remotely, it poses a significant risk to any user of the affected product. The vulnerability has been publicly disclosed, and as of the latest reports, the vendor has not addressed the security concerns raised. Early detection and remediation of this vulnerability are essential for protecting systems that utilize this product.

Affected Version(s)

Quicklancer 2.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-7188 - Proof of Concept

References

https://vuldb.com/?id.272609
vdb-entrytechnical-description
https://vuldb.com/?ctiid.272609
signaturepermissions-required
https://vuldb.com/?submit.378279
third-party-advisory

EPSS Score

86% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

godfather (VulDB User)
.