SQL Injection Vulnerability in ContiNew Admin Products
CVE-2024-8155

4.9MEDIUM

Key Information:

Vendor
Continew
Status
Admin
Vendor
CVE Published:
25 August 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A critical vulnerability exists in ContiNew Admin version 3.2.0 that allows for SQL injection via manipulated API parameters. Specifically, the flaw lies in the BaseController's tree function, which processes the '/api/system/dept/tree?sort=parentId%2Casc&sort=sort%2Casc' endpoint without adequate validation of input. This security risk enables attackers to exploit the vulnerability remotely, potentially leading to unauthorized access to sensitive information or modification of the database. Despite early notification of the flaw, the vendor has not responded adequately, raising concerns about the responsiveness of their security practices. Organizations using this product are strongly advised to implement immediate remediation measures to safeguard against potential exploitation.

Affected Version(s)

Admin 3.2.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8155 - Proof of Concept

References

https://vuldb.com/?id.275743
vdb-entrytechnical-description
https://vuldb.com/?ctiid.275743
signaturepermissions-required
https://vuldb.com/?submit.391851
third-party-advisory

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

Credit

Chiexf (VulDB User)
Chiexf (VulDB User)
.