SQL Injection Vulnerability in Dingfanzu CMS Affecting Checkin Functionality
CVE-2024-8301

9.8CRITICAL

Key Information:

Vendor
Dingfanzu
Status
Cms
Vendor
CVE Published:
29 August 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A critical security vulnerability has been identified in Dingfanzu CMS, specifically related to an insecure implementation in the file checkin.php. The flaw arises from improper handling of the username argument, which can be exploited through SQL injection. This vulnerability allows adversaries to execute arbitrary SQL commands remotely, potentially leading to unauthorized access or manipulation of the underlying database. The vendor has not provided a timely response regarding this issue, highlighting the urgent need for affected users to address their security posture.

Affected Version(s)

CMS 29d67d9044f6f93378e6eb6ff92272217ff7225c

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8301 - Proof of Concept

References

https://vuldb.com/?id.276073
vdb-entrytechnical-description
https://vuldb.com/?ctiid.276073
signaturepermissions-required
https://vuldb.com/?submit.396294
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

fjjwebray.com.cn (VulDB User)
.