[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] CVE-2024-30922: SQL Injection in DerbyNet v9.0 via print/render/award.inc
From:       Valentin Lobstein via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2024-04-03 18:38:20
Message-ID: 2VnH5UE9E2I-lTtlS7Sz4x1nVG0hQK3yyZgjhPmIGjrakILSDhLmSpdmosdmjLaQ_GSTxCejWiT6e_wPagxJ7SJuAcZt_WwEGQo4OqVRGC0= () protonmail ! com
[Download RAW message or body]

CVE ID: CVE-2024-30922

Description:
A SQL Injection vulnerability has been identified in DerbyNet version 9.0, specifically \
affecting the 'where' clause in Award Document Rendering through the component \
`print/render/award.inc`. This vulnerability allows remote attackers to execute arbitrary code \
and disclose sensitive information without requiring authentication.

Vulnerability Type: SQL Injection

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: print/render/award.inc

Attack Type: Remote

Impact:
- Code execution: True
- Information Disclosure: True

Attack Vectors:
The vulnerability in the document rendering endpoint, particularly within \
`print/render/award.inc`, is exposed to an unauthenticated SQL Injection. This flaw allows \
attackers to manipulate SQL queries by injecting malicious SQL code, potentially leading to \
unauthorized data access and manipulation.

Discoverer: Valentin Lobstein

References:
- Official website: http://derbynet.com
- Source code on GitHub: https://github.com/jeffpiazza/derbynet
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/


[prev in list] [next in list] [prev in thread] [next in thread]