Cyber Resilience

CVE-2024-9326

MediumPublic PoC

Published: 29 September 2024

Published
29 September 2024
Modified
02 October 2024
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1976 95.6th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9326 is a medium-severity SQL Injection (CWE-89) vulnerability in Phpgurukul Online Shopping Portal. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical SQL injection vulnerability exists in PHPGurukul Online Shopping Portal 2.0 within the unknown code of the file /shopping/admin/index.php in the Admin Panel component. The flaw is triggered by improper handling of the username argument and is tracked as CWE-89. It can be reached over the network without authentication or user interaction, resulting in a CVSS 4.0 score of 6.9.

Remote, unauthenticated attackers can supply crafted input to the username field and execute arbitrary SQL statements against the backend database. Successful exploitation may allow limited read, write, or delete operations on application data, though the precise impact depends on database privileges and configuration.

Public exploit code has been disclosed, and the EPSS score currently sits at 0.1976 with a recorded peak of 0.2011. No vendor advisory or patch information is provided in the referenced sources.

EU & UK References

Vulnerability details

A vulnerability classified as critical was found in PHPGurukul Online Shopping Portal 2.0. This vulnerability affects unknown code of the file /shopping/admin/index.php of the component Admin Panel. The manipulation of the argument username leads to sql injection. The attack can…

more

be initiated remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpgurukul
online shopping portal
2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References