CVE-2024-36837
published 2024-06-05CVE-2024-36837: SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the…
PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
8.31%
94.2th percentile
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crmeb | crmeb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/products?limit=20&priceOrder=&salesOrder=&selectId=GTID_SUBSET(CONCAT(0x7e,(SELECT+(ELT(3550=3550,md5({{num}})))),0x7e),3550)↗
- →SQL injection payload is delivered via the `selectId` GET parameter on the `/api/products` endpoint using a GTID_SUBSET-based blind/error injection technique. ↗
- →A successful exploitation response returns HTTP 200 with Content-Type `application/json` and contains both the MD5 hash of the injected integer and the string `SQLSTATE` in the response body. ↗
- →FOFA fingerprinting query `title="CRMEB"` can be used to identify exposed CRMEB instances potentially vulnerable to this CVE. ↗
- →The vulnerability is triggered through the `getProductList` function inside `ProductController.php`; monitor GET requests to `/api/products` with a `selectId` parameter containing SQL function calls such as `GTID_SUBSET`, `CONCAT`, `ELT`, or `md5`. ↗
- ·The Nuclei template uses a randomised integer (`rand_int(9000000, 9999999)`) as the injection payload seed and matches its MD5 hash in the response body, meaning detection signatures must account for a variable payload rather than a static string. ↗
- ·The exploit requires only a single unauthenticated GET request (`max-request: 1`), lowering the bar for mass scanning and exploitation. ↗
- ·EPSS score of 0.91665 (99.68th percentile) indicates very high real-world exploitation probability; treat detections as high-priority. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
CRMEB v.5.2.2 - SQL Injection
nuclei·CVSS 7.5
CVE-2024-36837 [HIGH] CRMEB v.5.2.2 - SQL Injection
CRMEB v.5.2.2 - SQL Injection
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
Template:
id: CVE-2024-36837
info:
name: CRMEB v.5.2.2 - SQL Injection
author: DhiyaneshDk
severity: high
description: |
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
impact: |
Attackers can execute SQL injection via the selectId parameter in getProductList to obtain sensitive database information.
remediation: |
Update CRMEB to a version later than 5.2.2 that patches the SQL injection vulnerability.
reference:
- https://github.com/phtcloud-dev/CVE-2024-36837
- https://
2024-06-05
Published