CVE-2024-24112
published 2024-02-06CVE-2024-24112: xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.35%
87.2th percentile
xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| exrick | xmall | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/item/list?draw=1&order%5B0%5D%5Bcolumn%5D=1&order%5B0%5D%5Bdir%5D=desc)a+union+select+updatexml(1,concat(0x7e,{{md5(num)}},0x7e),1)%23;&start=0&length=1&search%5Bvalue%5D=&search%5Bregex%5D=false&cid=-1&_=1↗
- →Response body contains both the MD5 hash of the random integer and the string 'MySQLSyntaxErrorException', indicating successful SQL injection error-based exploitation via the orderDir parameter. ↗
- →The vulnerable endpoint is GET /item/list; the injection point is the order[0][dir] parameter (URL-encoded as order%5B0%5D%5Bdir%5D). Payloads break out of the ORDER BY clause using a closing parenthesis followed by a UNION SELECT with UPDATEXML for error-based data extraction. ↗
- →The vulnerability is unauthenticated (PR:N) and network-reachable (AV:N); no session cookie or authentication token is required to trigger the SQL injection. ↗
- →HTTP response status 200 is returned even on successful exploitation; detection should not rely on error-level HTTP status codes. ↗
- ·The exploit uses a randomly generated integer (rand_int 9000000–9999999) whose MD5 hash is embedded in the payload and matched in the response body, making each probe unique. Static signatures must account for this dynamic component. ↗
- ·Affected version is specifically XMall v1.1; the CPE is cpe:2.3:a:exrick:xmall:1.1:*:*:*:*:*:*:*. Detections should be scoped to this version. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qv88-9x4p-qm78: xmall v1
ghsa_unreviewed·2024-02-06
CVE-2024-24112 [CRITICAL] CWE-89 GHSA-qv88-9x4p-qm78: xmall v1
xmall v1.1 was discovered to contain a SQL injection vulnerability via the orderDir parameter.
Oracle
Oracle Oracle MySQL Risk Matrix: Connector/Net (.NET Core) — CVE-2021-24112
vendor_oracle·2024-07-15·CVSS 8.1
CVE-2021-24112 [HIGH] Oracle Oracle MySQL Risk Matrix: Connector/Net (.NET Core) — CVE-2021-24112
Oracle Oracle MySQL Risk Matrix: Connector/Net (.NET Core) vulnerability
CVE: CVE-2021-24112
CVSS: 8.1
Protocol: MySQL Protocol
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Suricata
ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M1
suricata·2022-02-22·CVSS 9.8
CVE-2022-24112 [CRITICAL] ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M1
ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M1
Rule: alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M1"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"filter_func"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035272; rev:4; metadata:created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_na
Suricata
ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M2
suricata·2022-02-22·CVSS 9.8
CVE-2022-24112 [CRITICAL] ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M2
ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M2
Rule: alert http1 any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M2"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"script"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035273; rev:4; metadata:created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name In
Nuclei
Exrick XMall - SQL Injection
nuclei·CVSS 9.8
CVE-2024-24112 [CRITICAL] Exrick XMall - SQL Injection
Exrick XMall - SQL Injection
XMall v1.1 was discovered to contain a SQL injection vulnerability via the 'orderDir' parameter.
Template:
id: CVE-2024-24112
info:
name: Exrick XMall - SQL Injection
author: DhiyaneshDk
severity: critical
description: |
XMall v1.1 was discovered to contain a SQL injection vulnerability via the 'orderDir' parameter.
impact: |
Unauthenticated attackers can extract sensitive database information via SQL injection in the orderDir parameter.
remediation: |
Update Exrick XMall to a version newer than 1.1.
reference:
- https://github.com/Exrick/xmall/issues/78
- https://nvd.nist.gov/vuln/detail/CVE-2024-24112
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-24112
cwe-id: CWE-89
epss-score: 0.81566
epss-pe
2024-02-06
Published