SQL Injection Vulnerability in LyLme_spage Web Application
CVE-2024-9788

7.2HIGH

Key Information:

Vendor
LyLme
Status
Lylme Spage
Vendor
CVE Published:
10 October 2024

Badges

👾 Exploit Exists

Summary

A severe SQL injection vulnerability has been identified in the LyLme_spage web application, specifically affecting version 1.9.5. The vulnerability arises from improper handling of input parameters in the /admin/tag.php file, allowing attackers to manipulate the 'id' argument. This exploitation could enable unauthorized access to the underlying database, potentially exposing sensitive data or facilitating further attacks. The flaw can be exploited remotely, making it critical for system administrators to apply necessary updates or patch the affected software. Despite early disclosure of this vulnerability to the vendor, no response has been recorded, raising concerns about the urgency for remediation.

Affected Version(s)

LyLme_spage 1.9.5

References

https://vuldb.com/?id.279940
vdb-entrytechnical-description
https://vuldb.com/?ctiid.279940
signaturepermissions-required
https://vuldb.com/?submit.414574
third-party-advisory

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

wiki (VulDB User)
.