SQL Injection Vulnerability in Dingfanzu CMS
CVE-2024-8303

6.3MEDIUM

Key Information:

Vendor
Dingfanzu
Status
Cms
Vendor
CVE Published:
29 August 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A significant SQL injection vulnerability has been identified in Dingfanzu CMS, specifically affecting the file '/ajax/getBasicInfo.php'. By manipulating the 'username' parameter, attackers can execute malicious SQL commands remotely, leading to unauthorized database access and potential data breaches. This flaw is particularly concerning as it exists in a version of the software that lacks versioning information, making it difficult for users to ascertain their risk. Despite early warnings, the vendor has not provided any public response or patches, leaving users vulnerable to potential exploitation. Organizations using Dingfanzu CMS should take immediate action to assess their exposure and implement security measures to mitigate risks.

Affected Version(s)

CMS 29d67d9044f6f93378e6eb6ff92272217ff7225c

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8303 - Proof of Concept

References

https://vuldb.com/?id.276075
vdb-entrytechnical-description
https://vuldb.com/?ctiid.276075
signaturepermissions-required
https://vuldb.com/?submit.396298
third-party-advisory

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

fjjwebray.com.cn (VulDB User)
.