Guangzhou Tuchuang Interlib <=V2.0.1 BatchOrder SQL Injection (CVE-2024-10947)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability ID: CVE-2024-10947 2. Vulnerability Name: Guangzhou Tuchuang Computer Software Development Co., Ltd. Interlib Library Cluster Management System (<=V 2.0.1) BatchOrder SQL Injection Vulnerability 3. Vulnerability Description: - The BatchOrder module in Interlib Library Cluster Automation Management System V2.0.1, developed by Guangzhou Tuchuang Computer Software Development Co., Ltd., contains an SQL injection vulnerability. - The module does not properly filter or validate user-supplied SQL statements, allowing attackers to construct malicious SQL queries and execute unauthorized database operations. - Unauthenticated attackers can exploit this vulnerability to retrieve sensitive information from the database, such as library configuration data and user information. 4. POC: - Provides an example exploit request, including details such as the GET request URL, HTTP version, Host, User-Agent, Accept, Accept-Language, Cookie, etc. 5. CVSS Score: - CVSS Base Score: 6.7 - CVSS Temporal Score: NA - CVSS Environmental Score: NA - CVSS Overall Score: 6.7 - CVSS Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L 6. Exploitability Metrics: - Attack Vector (AV): Network (AV:N) - Attack Complexity (AC): Low (AC:L) - Privileges Required (PR): None (PR:N) - User Interaction (UI): None (UI:N) 7. Impact Metrics: - Confidentiality Impact (C): High (C:H) - Integrity Impact (I): High (I:H) - Availability Impact (A): High (A:H) This information helps understand the severity, scope of impact, and potential exploitation methods for the vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Guangzhou Tuchuang Interlib <=V2.0.1 BatchOrder SQL Injection (CVE-2024-10947)