CVE-2024-8302

A vulnerability was found in dingfanzu CMS up to 29d67d9044f6f93378e6eb6ff92272217ff7225c. It has been rated as critical. Affected by this issue is some unknown functionality of the file /ajax/chpwd.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Configurations

Configuration 1 (hide)

cpe:2.3:a:geeeeeeeek:dingfanzu:*:*:*:*:*:*:*:*

History

19 Sep 2024, 21:55

Type Values Removed Values Added
References () https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/dingfanzu-CMS/dingfanzu-CMS%20chpwd.php%20username%20SQL-inject.md - () https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/dingfanzu-CMS/dingfanzu-CMS%20chpwd.php%20username%20SQL-inject.md - Exploit, Third Party Advisory
References () https://vuldb.com/?ctiid.276074 - () https://vuldb.com/?ctiid.276074 - Permissions Required
References () https://vuldb.com/?id.276074 - () https://vuldb.com/?id.276074 - Third Party Advisory
References () https://vuldb.com/?submit.396297 - () https://vuldb.com/?submit.396297 - Third Party Advisory
CPE cpe:2.3:a:geeeeeeeek:dingfanzu:*:*:*:*:*:*:*:*
Summary
  • (es) Se encontró una vulnerabilidad en dingfanzu CMS hasta 29d67d9044f6f93378e6eb6ff92272217ff7225c. Se ha calificado como crítica. Este problema afecta a algunas funciones desconocidas del archivo /ajax/chpwd.php. La manipulación del argumento username provoca una inyección SQL. El ataque se puede ejecutar de forma remota. El exploit se ha divulgado al público y se puede utilizar. Este producto utiliza la entrega continua con versiones sucesivas. Por lo tanto, no hay detalles de las versiones afectadas ni de las versiones actualizadas disponibles. NOTA: Se contactó primeramente con el proveedor sobre esta divulgación, pero no respondió de ninguna manera.
First Time Geeeeeeeek
Geeeeeeeek dingfanzu
CVSS v2 : 6.5
v3 : 6.3
v2 : 6.5
v3 : 9.8

29 Aug 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-29 14:15

Updated : 2024-09-19 21:55


NVD link : CVE-2024-8302

Mitre link : CVE-2024-8302

CVE.ORG link : CVE-2024-8302


JSON object : View

Products Affected

geeeeeeeek

  • dingfanzu
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')