SQL Injection Vulnerability in LyLme_spage Web Application

CVE-2024-9788

7.2HIGH

Key Information

Vendor
LyLme
Status
Lylme Spage
Vendor
CVE Published:
10 October 2024

Badges

👾 Exploit Exists🔴 Public PoC

Summary

A severe SQL injection vulnerability has been identified in the LyLme_spage web application, specifically affecting version 1.9.5. The vulnerability arises from improper handling of input parameters in the /admin/tag.php file, allowing attackers to manipulate the 'id' argument. This exploitation could enable unauthorized access to the underlying database, potentially exposing sensitive data or facilitating further attacks. The flaw can be exploited remotely, making it critical for system administrators to apply necessary updates or patch the affected software. Despite early disclosure of this vulnerability to the vendor, no response has been recorded, raising concerns about the urgency for remediation.

Affected Version(s)

LyLme_spage = 1.9.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9788 - Proof of Concept

References

https://vuldb.com/?id.279940
vdb-entrytechnical-description
https://vuldb.com/?ctiid.279940
signaturepermissions-required
https://vuldb.com/?submit.414574
third-party-advisory

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🔴

    Public PoC available

  • Vulnerability Reserved

  • 👾

    Exploit known to exist

  • Vulnerability published

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

wiki (VulDB User)
.