SQL Injection Vulnerability in SourceCodester Contact Manager
CVE-2024-8380

9.8CRITICAL

Key Information:

Vendor
Sourcecodester
Status
Contact Manager With Export To Vcf
Vendor
CVE Published:
3 September 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A critical SQL injection vulnerability exists in the Delete Contact Handler of SourceCodester's Contact Manager with Export to VCF version 1.0. This flaw is located in the file '/endpoint/delete-account.php', where improper handling of user inputs allows for unauthorized SQL commands to be executed. As a result, attackers can potentially manipulate the 'contact' argument, leading to unauthorized access to the database. The vulnerability can be exploited remotely, thereby posing a significant risk to users. Quick remediation is advised as the exploit has been publicly disclosed and may be weaponized by malicious actors.

Affected Version(s)

Contact Manager with Export to VCF 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-8380 - Proof of Concept

References

https://vuldb.com/?id.276353
vdb-entrytechnical-description
https://vuldb.com/?ctiid.276353
signaturepermissions-required
https://vuldb.com/?submit.401249
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

Credit

jadu101 (VulDB User)
.