CVE-2024-6043
Published: 17 June 2024
Summary
CVE-2024-6043 is a medium-severity SQL Injection (CWE-89) vulnerability in Mayurik Best House Rental Management System. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical SQL injection vulnerability, tracked as CVE-2024-6043 and assigned CWE-89, affects the login function in admin_class.php of SourceCodester Best House Rental Management System version 1.0. The flaw arises from improper handling of the username argument, enabling an attacker to inject arbitrary SQL commands.
The issue can be exploited remotely by unauthenticated attackers over the network, potentially allowing unauthorized database access, data exfiltration, or modification of application data. Public exploit code has been disclosed, and the vulnerability carries a CVSS 4.0 score of 6.9.
The associated EPSS score has remained flat at 0.2668 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47201
Vulnerability details
A vulnerability classified as critical has been found in SourceCodester Best House Rental Management System 1.0. This affects the function login of the file admin_class.php. The manipulation of the argument username leads to sql injection. It is possible to initiate…
more
the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268767.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated login of public-facing PHP web app enables initial access via exploitation of public-facing application (T1190) and execution through server software component (T1505), as mapped in advisories.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.