cbcvebase.
CVE-2024-44541
published 2024-09-11

CVE-2024-44541: evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin."

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.58%
83.2th percentile
evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin."

Detection & IOCsextracted from sources · hover to see the quote

url/?action=processlogin
command' or email LIKE '' and password LIKE '%' and is_admin=1 LIMIT 1-- -
command") or username like '%' or email like '%' and is_admin=1 LIMIT 1-- -
  • Monitor POST requests to /?action=processlogin for SQL injection patterns in the 'username' parameter, specifically looking for SQL keywords such as LIKE, LIMIT, OR, and comment sequences (-- -).
  • Detect blind/error-based SQLi enumeration by identifying repeated POST requests to the login endpoint with incrementally changing 'username' values (character-by-character brute force pattern).
  • Alert on HTTP responses to /?action=processlogin containing 'window.location=\'index.php?view=home\';' as this string is used by the exploit to confirm successful SQL injection authentication bypass.
  • The application stores passwords as SHA1(MD5(password)); detection of cracked credentials should account for this double-hashing scheme when auditing password storage.
  • ·The SQL injection affects Inventio Lite v4 and all prior versions; v4 is the confirmed vulnerable version referenced in the exploit.
  • ·The exploit targets the 'username' POST parameter specifically; the 'password' parameter is not the injection point and is submitted with an arbitrary value during exploitation.
  • ·The extracted admin hash character set is limited to lowercase alphanumerics only (no symbols, no uppercase), consistent with SHA1(MD5()) output format.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.