cbcvebase.
CVE-2024-24495
published 2024-02-08

CVE-2024-24495: SQL Injection vulnerability in delete-tracker.php in Daily Habit Tracker v.1.0 allows a remote attacker to execute arbitrary code via crafted GET request.

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.33%
67.5th percentile
SQL Injection vulnerability in delete-tracker.php in Daily Habit Tracker v.1.0 allows a remote attacker to execute arbitrary code via crafted GET request.

Affected

1 ranges
VendorProductVersion rangeFixed in
remyandradedaily_habit_tracker

Detection & IOCsextracted from sources · hover to see the quote

filenamedelete-tracker.php
  • Alert on sqlmap User-Agent strings combined with requests to delete-tracker.php, as the PoC uses sqlmap with --technique=T (time-based blind) against this endpoint.
  • ·The PoC was tested on Debian only; behavior on other OS/DB configurations may differ.
  • ·The vulnerability is exploitable via a simple unauthenticated GET request with no session or authentication required, widening the attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv5.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.