CVE-2024-44541
published 2024-09-11CVE-2024-44541: evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin."
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.58%
83.2th percentile
evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin."
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /?action=processlogin for SQL injection patterns in the 'username' parameter, specifically looking for SQL keywords such as LIKE, LIMIT, OR, and comment sequences (-- -). ↗
- →Detect blind/error-based SQLi enumeration by identifying repeated POST requests to the login endpoint with incrementally changing 'username' values (character-by-character brute force pattern). ↗
- →Alert on HTTP responses to /?action=processlogin containing 'window.location=\'index.php?view=home\';' as this string is used by the exploit to confirm successful SQL injection authentication bypass. ↗
- →The application stores passwords as SHA1(MD5(password)); detection of cracked credentials should account for this double-hashing scheme when auditing password storage. ↗
- ·The SQL injection affects Inventio Lite v4 and all prior versions; v4 is the confirmed vulnerable version referenced in the exploit. ↗
- ·The exploit targets the 'username' POST parameter specifically; the 'password' parameter is not the injection point and is submitted with an arbitrary value during exploitation. ↗
- ·The extracted admin hash character set is limited to lowercase alphanumerics only (no symbols, no uppercase), consistent with SHA1(MD5()) output format. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-09-11
Published