CVE-2024-40498
Published: 05 August 2024
Summary
CVE-2024-40498 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-40498 is a SQL injection vulnerability in PuneethReddyHC Online Shopping system advanced version 1.0 that resides in the register.php component. The flaw, tracked under CWE-89, permits an unauthenticated remote attacker to supply crafted input that is executed as SQL statements, resulting in arbitrary code execution on the underlying database server.
An attacker with network access and no credentials or user interaction can exploit the issue to read, modify, or delete data and potentially gain further control over the application host. The vulnerability carries a CVSS 3.1 base score of 9.8, reflecting its critical severity due to the combination of network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.
The single public reference is a GitHub repository that appears to contain proof-of-concept material; no vendor advisory, patch, or official mitigation guidance is referenced in the available data. The associated EPSS score has remained flat at 0.1178 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38483
Vulnerability details
SQL Injection vulnerability in PuneethReddyHC Online Shopping sysstem advanced v.1.0 allows an attacker to execute arbitrary code via the register.php
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.