SQL Injection Vulnerability in SourceCodester Establishment Billing Management System
CVE-2024-7286

9.8CRITICAL

Key Information:

Vendor
Sourcecodester
Status
Establishment Billing Management System
Vendor
CVE Published:
31 July 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A significant security flaw has been identified in the SourceCodester Establishment Billing Management System 1.0, where a SQL injection vulnerability exists within the login functionality located at /admin/ajax.php?action=login. This vulnerability allows remote attackers to manipulate the username input, potentially leading to unauthorized database access. Such an exploit may allow attackers to view, modify, or delete sensitive data within the database. The publicly disclosed nature of this vulnerability elevates the urgency for users to apply necessary patches or implement mitigation strategies swiftly to safeguard their systems against potential exploit attempts. Users are encouraged to review their system configurations and ensure that adequate security measures are in place to prevent such SQL injection attacks.

Affected Version(s)

Establishment Billing Management System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-7286 - Proof of Concept

References

https://vuldb.com/?id.273155
vdb-entrytechnical-description
https://vuldb.com/?ctiid.273155
signaturepermissions-required
https://vuldb.com/?submit.381468
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

topsky979 (VulDB User)
.