SQL Injection in Project Worlds Life Insurance Management System 1.0 /editPayment.php (CVE-2024-10734)

Key Information 1. Vulnerability Name: - Project Worlds Life Insurance Management System 1.0 /editPayment.php RECEIPT_NO SQL INJECTION 2. Vulnerability ID: - VDB-282903 - CVE-2024-10734 3. CVSS Meta Temp Score: - 6.0 4. Current Vulnerability Price: - $0-$5k 5. CTI Interest Score: - 2.98 6. Vulnerability Description: - A vulnerability was found in Project Worlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown code block of the file /editPayment.php. The manipulation of the argument receipt_no with an unknown input leads to a SQL injection vulnerability. 7. Impact: - The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. 8. CVE Description: - A vulnerability was found in Project Worlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown part of the file /editPayment.php. The manipulation of the argument receipt_no leads to SQL injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 9. Exploit Details: - It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2024-10734. The exploitability is told to be easy. It is possible to initiate the attack remotely. Technical details and a public exploit are known. The attack technique deployed by this issue is T1505 according to MITRE ATT&CK. 10. Exploit Tools: - The exploit is shared for download at github.com. It is declared as proof-of-concept. By approaching the search of inurl:editPayment.php it is possible to find vulnerable targets with Google Hacking. 11. Recommended Mitigation: - There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. 12. Related Links: - See VDB-199685 and VDB-275924 for similar entries.

Goal Reached Thanks to every supporter — we hit 100%!

SQL Injection in Project Worlds Life Insurance Management System 1.0 /editPayment.php (CVE-2024-10734)