cnvd - cnvd-2024-35179

CNVD-2024-35179

Vulnerability from cnvd - Published: 2024-08-15

Title

Computer Laboratory Management System SQL注入漏洞

Description

Computer Laboratory Management System是一个计算机实验室管理系统。 Computer Laboratory Management System 1.0版本存在SQL注入漏洞，该漏洞源于参数id缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令窃取数据库敏感数据。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://vuldb.com/?id.271704

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-6802

Impacted products

Name
Computer Laboratory Management System Computer Laboratory Management System 1.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-6802",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-6802"
    }
  },
  "description": "Computer Laboratory Management System\u662f\u4e00\u4e2a\u8ba1\u7b97\u673a\u5b9e\u9a8c\u5ba4\u7ba1\u7406\u7cfb\u7edf\u3002\n\nComputer Laboratory Management System 1.0\u7248\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53c2\u6570id\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u7a83\u53d6\u6570\u636e\u5e93\u654f\u611f\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://vuldb.com/?id.271704",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-35179",
  "openTime": "2024-08-15",
  "products": {
    "product": "Computer Laboratory Management System Computer Laboratory Management System 1.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-6802",
  "serverity": "\u4e2d",
  "submitTime": "2024-07-19",
  "title": "Computer Laboratory Management System SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2024-6802 (GCVE-0-2024-6802)

Vulnerability from cvelistv5 – Published: 2024-07-17 02:00 – Updated: 2024-08-26 04:53

Summary

A vulnerability, which was classified as critical, was found in SourceCodester Computer Laboratory Management System 1.0. Affected is an unknown function of the file /lms/classes/Master.php?f=save_record. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-89 - SQL Injection

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.271704	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.271704	signaturepermissions-required
	https://vuldb.com/?submit.374797	third-party-advisory
	https://reports.kunull.net/CVEs/CVE-2024-6802	broken-link
	https://reports.kunull.net/CVEs/2024/CVE-2024-6802	exploit
	https://www.sourcecodester.com/	product

Impacted products

	Vendor	Product	Version
	SourceCodester	Computer Laboratory Management System	Affected: 1.0

Credits

Kunal Walavalkar

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sourcecodester:computer_laboratory_management_system:1.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "computer_laboratory_management_system",
            "vendor": "sourcecodester",
            "versions": [
              {
                "status": "affected",
                "version": "1.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6802",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-17T13:28:27.631764Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-17T13:29:17.566Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:45:38.364Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VDB-271704 | SourceCodester Computer Laboratory Management System sql injection",
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.271704"
          },
          {
            "name": "VDB-271704 | CTI Indicators (IOB, IOC, TTP, IOA)",
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.271704"
          },
          {
            "name": "Submit #374797 | SourceCodester Computer Laboratory Management System 1.0 SQL Injection",
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?submit.374797"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://reports-kunull.vercel.app/CVE%20research/2024/cve-2024-6802"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Computer Laboratory Management System",
          "vendor": "SourceCodester",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kunal Walavalkar"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as critical, was found in SourceCodester Computer Laboratory Management System 1.0. Affected is an unknown function of the file /lms/classes/Master.php?f=save_record. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in SourceCodester Computer Laboratory Management System 1.0 gefunden. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei /lms/classes/Master.php?f=save_record. Durch Manipulation des Arguments id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 SQL Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-26T04:53:04.377Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-271704 | SourceCodester Computer Laboratory Management System Master.php sql injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.271704"
        },
        {
          "name": "VDB-271704 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.271704"
        },
        {
          "name": "Submit #374797 | SourceCodester Computer Laboratory Management System 1.0 SQL Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.374797"
        },
        {
          "tags": [
            "broken-link"
          ],
          "url": "https://reports.kunull.net/CVEs/CVE-2024-6802"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://reports.kunull.net/CVEs/2024/CVE-2024-6802"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-07-16T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-07-16T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-08-26T06:53:39.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "SourceCodester Computer Laboratory Management System Master.php sql injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-6802",
    "datePublished": "2024-07-17T02:00:05.235Z",
    "dateReserved": "2024-07-16T19:19:52.189Z",
    "dateUpdated": "2024-08-26T04:53:04.377Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-35179

CVE-2024-6802 (GCVE-0-2024-6802)

Tags

Sightings

Nomenclature