CVE-2024-8155

A vulnerability classified as critical was found in ContiNew Admin 3.2.0. Affected by this vulnerability is the function top.continew.starter.extension.crud.controller.BaseController#tree of the file /api/system/dept/tree?sort=parentId%2Casc&sort=sort%2Casc. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
Link Resource
https://github.com/Chiexf/cve/issues/3 Exploit Issue Tracking Third Party Advisory
https://vuldb.com/?ctiid.275743 Permissions Required
https://vuldb.com/?id.275743 Third Party Advisory
https://vuldb.com/?submit.391851 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:continew:admin:3.2.0:*:*:*:*:*:*:*

History

12 Sep 2024, 13:53

Type Values Removed Values Added
CPE cpe:2.3:a:continew:admin:3.2.0:*:*:*:*:*:*:*
First Time Continew
Continew admin
CVSS v2 : 5.8
v3 : 4.7
v2 : 5.8
v3 : 4.9
References () https://github.com/Chiexf/cve/issues/3 - () https://github.com/Chiexf/cve/issues/3 - Exploit, Issue Tracking, Third Party Advisory
References () https://vuldb.com/?ctiid.275743 - () https://vuldb.com/?ctiid.275743 - Permissions Required
References () https://vuldb.com/?id.275743 - () https://vuldb.com/?id.275743 - Third Party Advisory
References () https://vuldb.com/?submit.391851 - () https://vuldb.com/?submit.391851 - Third Party Advisory

26 Aug 2024, 12:47

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad fue encontrada en ContiNew Admin 3.2.0 y clasificada como crítica. La función top.continew.starter.extension.crud.controller.BaseController#tree del archivo /api/system/dept/tree?sort=parentId%2Casc&sort=sort%2Casc es afectada por esta vulnerabilidad. La manipulación del tipo de argumento conduce a la inyección de SQL. El ataque se puede lanzar de forma remota. El exploit ha sido divulgado al público y puede utilizarse. NOTA: Se contactó primeramente con el proveedor sobre esta divulgación, pero no respondió de ninguna manera.

25 Aug 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-25 23:15

Updated : 2024-09-12 13:53


NVD link : CVE-2024-8155

Mitre link : CVE-2024-8155

CVE.ORG link : CVE-2024-8155


JSON object : View

Products Affected

continew

  • admin
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')