CVE-2024-10805

A vulnerability was found in code-projects University Event Management System 1.0. It has been classified as critical. This affects an unknown part of the file doedit.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions a confusing product name to be affected. Other parameters might be affected as well.
References
Link Resource
https://code-projects.org/ Product
https://github.com/yhcyhc981/cve/blob/main/sql16.md Exploit Third Party Advisory
https://vuldb.com/?ctiid.283029 Permissions Required VDB Entry
https://vuldb.com/?id.283029 Third Party Advisory VDB Entry
https://vuldb.com/?submit.436546 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:anisha:university_event_management_system:1.0:*:*:*:*:*:*:*

History

07 Nov 2024, 17:09

Type Values Removed Values Added
CVSS v2 : 6.5
v3 : 6.3
v2 : 6.5
v3 : 8.8
First Time Anisha
Anisha university Event Management System
CPE cpe:2.3:a:anisha:university_event_management_system:1.0:*:*:*:*:*:*:*
References () https://code-projects.org/ - () https://code-projects.org/ - Product
References () https://github.com/yhcyhc981/cve/blob/main/sql16.md - () https://github.com/yhcyhc981/cve/blob/main/sql16.md - Exploit, Third Party Advisory
References () https://vuldb.com/?ctiid.283029 - () https://vuldb.com/?ctiid.283029 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.283029 - () https://vuldb.com/?id.283029 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.436546 - () https://vuldb.com/?submit.436546 - Third Party Advisory, VDB Entry

05 Nov 2024, 16:04

Type Values Removed Values Added
Summary
  • (es) Se ha encontrado una vulnerabilidad en el University Event Management System 1.0. Se ha clasificado como crítica. Afecta a una parte desconocida del archivo doedit.php. La manipulación del argumento id provoca una inyección SQL. Es posible iniciar el ataque de forma remota. El exploit se ha hecho público y puede utilizarse. El aviso inicial para investigadores menciona que el nombre del producto afectado puede resultar confuso. También podrían verse afectados otros parámetros.

04 Nov 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-04 23:15

Updated : 2024-11-07 17:09


NVD link : CVE-2024-10805

Mitre link : CVE-2024-10805

CVE.ORG link : CVE-2024-10805


JSON object : View

Products Affected

anisha

  • university_event_management_system
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-707

Improper Neutralization

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')