CVE-2024-58309

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions xbtitFM version 4.1.18

Description The software contains an unauthenticated SQL injection issue. Remote attackers can manipulate database queries by injecting malicious SQL code through the msgid parameter. Crafted requests sent to the '/shoutedit.php' API endpoint, utilizing functions like EXTRACTVALUE, can allow attackers to extract database names, user credentials, and password hashes.

Recommendations Apply a fix to address SQL injection in the msgid parameter of the '/shoutedit.php' API endpoint.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2024-58309

Affected Products

Xbtitfm

CVE-2024-58309

Weakness Enumeration

Related Identifiers

Affected Products

References · 7