Login Sign Up

CVE-2024-25247

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Niushop B2B2C V5 allows attackers to execute arbitrary SQL commands through latitude and longitude parameters in the Store.php API controller. Attackers can potentially access, modify, or delete database content. All deployments of Niushop B2B2C V5 with the vulnerable endpoint exposed are affected.

💻 Affected Systems

Products:
  • Niushop B2B2C
Versions: V5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the default installation when the /app/api/controller/Store.php endpoint is accessible.

📦 What is this software?

B2b2c Multi Business by Niushop

View all CVEs affecting B2b2c Multi Business →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration of sensitive information (user credentials, payment data, business records) and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via latitude/longitude parameters suggests straightforward exploitation with common SQLi techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Check Niushop vendor website for security updates. 2. Apply any available patches for Niushop B2B2C V5. 3. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to ensure latitude and longitude parameters contain only numeric values within valid ranges.

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests to the vulnerable endpoint.

🧯 If You Can't Patch

  • Disable or restrict access to the /app/api/controller/Store.php endpoint using network ACLs or web server configuration.
  • Implement parameterized queries or prepared statements in the Store.php controller to prevent SQL injection.

🔍 How to Verify

Check if Vulnerable:

Test the /app/api/controller/Store.php endpoint with SQL injection payloads in latitude and longitude parameters (e.g., ' OR '1'='1).

Check Version:

Check Niushop version in admin panel or configuration files (exact command varies by deployment).

Verify Fix Applied:

Retest with SQL injection payloads after applying fixes; successful payloads should be rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Requests to /app/api/controller/Store.php with suspicious parameters containing SQL keywords

Network Indicators:

  • HTTP requests with SQL injection patterns in latitude/longitude parameters

SIEM Query:

source="web_logs" AND uri="/app/api/controller/Store.php" AND (param="latitude" OR param="longitude") AND (value="*OR*" OR value="*UNION*" OR value="*SELECT*" OR value="*--*" OR value="*;*")

📊 Metadata

CVE ID: CVE-2024-25247
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: February 26, 2024
Last Updated: September 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25247, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)