CVE-2024-24112 – CVE-2024-24112 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2024-24112?

CVE-2024-24112 has a CVSS score of 9.8 (CRITICAL). CVE-2024-24112 is a SQL injection vulnerability in xmall v1.1 that allows attackers to execute arbitrary SQL commands via the orderDir parameter. This affects all deployments using the vulnerable version, potentially compromising database integrity and confidentiality.

📋 TL;DR

CVE-2024-24112 is a SQL injection vulnerability in xmall v1.1 that allows attackers to execute arbitrary SQL commands via the orderDir parameter. This affects all deployments using the vulnerable version, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:

xmall

Versions: v1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments of xmall v1.1 regardless of configuration.

📦 What is this software?

Xmall by Exrick

View all CVEs affecting Xmall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via orderDir parameter is straightforward to exploit with basic SQL knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/Exrick/xmall/issues/78

Restart Required: No

Instructions:

1. Check GitHub repository for patches or updated versions. 2. Apply parameterized query fixes to orderDir parameter handling. 3. Validate and sanitize all user inputs.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to only allow specific values for orderDir parameter

// Example: Validate orderDir parameter
if (!['asc', 'desc'].includes(orderDir)) {
    orderDir = 'asc';
}

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns in orderDir parameter

# Example ModSecurity rule
SecRule ARGS:orderDir "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Implement strict input validation for orderDir parameter to only accept 'asc' or 'desc' values
Deploy a web application firewall with SQL injection detection rules

🔍 How to Verify

Check if Vulnerable:

Test orderDir parameter with SQL injection payloads like: orderDir=asc' OR '1'='1

Check Version:

Check package.json or application metadata for version information

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts following SQL injection patterns
Database error messages containing SQL syntax

Network Indicators:

HTTP requests with SQL keywords in orderDir parameter
Unusual database connection patterns from application server

SIEM Query:

source="web_logs" AND (orderDir="*'*" OR orderDir="*;*" OR orderDir="*--*" OR orderDir="*/*")

📊 Metadata

CVE ID: CVE-2024-24112

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 6, 2024

Last Updated: May 8, 2025

🔗 References

https://github.com/Exrick/xmall/issues/78 Exploit,Issue Tracking,Product
https://github.com/Exrick/xmall/issues/78 Exploit,Issue Tracking,Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24112, you might also want to check these: