Cyber Resilience

CVE-2024-2265

MediumPublic PoC

Published: 07 March 2024

Published
07 March 2024
Modified
11 March 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 27.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2265 is a medium-severity Inclusion of Sensitive Information in Source Code (CWE-540) vulnerability in Keerti1924 Php Mysql User Signup Login System. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A vulnerability, which was classified as problematic, was found in keerti1924 PHP-MYSQL-User-Login-System 1.0. This affects an unknown part of the file login.sql. The manipulation leads to inclusion of sensitive information in source code. It is possible to initiate the attack…

more

remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256035. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1589.001 Credentials Reconnaissance
Adversaries may gather credentials that can be used during targeting.
T1592.002 Software Reconnaissance
Adversaries may gather information about the victim's host software that can be used during targeting.
Why these techniques?

Exposes password hashes and software details in publicly accessible login.sql source code, enabling collection of unsecured credentials from files and reconnaissance for victim identity/host information.

Affected Assets

keerti1924
php mysql user signup login system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-540

Detection and removal of spilled information addresses cases where sensitive data was included in source code.

addresses: CWE-540

Screening helps prevent intentional insertion of sensitive information into source code by untrusted developers.

addresses: CWE-540

Prevents inclusion of sensitive information in source code and development artifacts through SDLC-wide OPSEC controls.

References