CVE-2023-24221 – LuckyframeWEB v3.5 contains a SQL injection vul... (How to Fix)

Q: What is the severity of CVE-2023-24221?

CVE-2023-24221 has a CVSS score of 9.8 (CRITICAL). LuckyframeWEB v3.5 contains a SQL injection vulnerability in the dataScope parameter at /system/DeptMapper.xml that allows attackers to execute arbitrary SQL commands. This affects all deployments of LuckyframeWEB v3.5 that expose the vulnerable endpoint. Attackers can potentially access, modify, or delete database content.

📋 TL;DR

LuckyframeWEB v3.5 contains a SQL injection vulnerability in the dataScope parameter at /system/DeptMapper.xml that allows attackers to execute arbitrary SQL commands. This affects all deployments of LuckyframeWEB v3.5 that expose the vulnerable endpoint. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:

LuckyframeWEB

Versions: v3.5

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the vulnerable endpoint accessible are affected

📦 What is this software?

Luckyframeweb by Luckyframe

View all CVEs affecting Luckyframeweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Database information disclosure, privilege escalation, or data manipulation

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage

🌐 Internet-Facing: HIGH - Web application directly exposed to internet with SQL injection vulnerability

🏢 Internal Only: HIGH - Internal attackers can exploit this to gain unauthorized database access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized and this appears to be unauthenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/seagull1985/LuckyFrameWeb/issues/23

Restart Required: No

Instructions:

No official patch available. Check GitHub repository for updates or apply workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the dataScope parameter before processing

Implement parameterized queries or prepared statements in DeptMapper.xml

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Configure WAF to block SQL injection patterns targeting /system/DeptMapper.xml

🧯 If You Can't Patch

Restrict network access to the application using firewall rules
Implement database user with minimal required permissions

🔍 How to Verify

Check if Vulnerable:

Test the /system/DeptMapper.xml endpoint with SQL injection payloads in the dataScope parameter

Check Version:

Check application version in web interface or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts following SQL injection patterns
Requests to /system/DeptMapper.xml with suspicious parameters

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in parameters
Unusual traffic patterns to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/system/DeptMapper.xml" AND (param="dataScope" AND value MATCHES "(?i)(SELECT|UNION|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)")

📊 Metadata

CVE ID: CVE-2023-24221

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 17, 2023

Last Updated: March 18, 2025

🔗 References

https://github.com/seagull1985/LuckyFrameWeb/issues/23 Exploit,Issue Tracking,Vendor Advisory
https://github.com/seagull1985/LuckyFrameWeb/issues/23 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24221, you might also want to check these: