CVE-2024-9326
Published: 29 September 2024
Summary
CVE-2024-9326 is a medium-severity SQL Injection (CWE-89) vulnerability in Phpgurukul Online Shopping Portal. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical SQL injection vulnerability exists in PHPGurukul Online Shopping Portal 2.0 within the unknown code of the file /shopping/admin/index.php in the Admin Panel component. The flaw is triggered by improper handling of the username argument and is tracked as CWE-89. It can be reached over the network without authentication or user interaction, resulting in a CVSS 4.0 score of 6.9.
Remote, unauthenticated attackers can supply crafted input to the username field and execute arbitrary SQL statements against the backend database. Successful exploitation may allow limited read, write, or delete operations on application data, though the precise impact depends on database privileges and configuration.
Public exploit code has been disclosed, and the EPSS score currently sits at 0.1976 with a recorded peak of 0.2011. No vendor advisory or patch information is provided in the referenced sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49865
Vulnerability details
A vulnerability classified as critical was found in PHPGurukul Online Shopping Portal 2.0. This vulnerability affects unknown code of the file /shopping/admin/index.php of the component Admin Panel. The manipulation of the argument username leads to sql injection. The attack can…
more
be initiated remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.