CVE-2024-28714 – This SQL injection vulnerability in CRMEB

Q: What is the severity of CVE-2024-28714?

CVE-2024-28714 has a CVSS score of 8.1 (HIGH). This SQL injection vulnerability in CRMEB_Java e-commerce system allows attackers to execute arbitrary SQL commands via the groupid parameter. Attackers can potentially read, modify, or delete database contents, and in some configurations execute arbitrary code. All deployments of CRMEB_Java version 1.3.4 are affected.

📋 TL;DR

This SQL injection vulnerability in CRMEB_Java e-commerce system allows attackers to execute arbitrary SQL commands via the groupid parameter. Attackers can potentially read, modify, or delete database contents, and in some configurations execute arbitrary code. All deployments of CRMEB_Java version 1.3.4 are affected.

💻 Affected Systems

Products:

CRMEB_Java e-commerce system

Versions: v1.3.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.3.4 are vulnerable by default. The vulnerability is in the groupid parameter handling.

📦 What is this software?

Crmeb Java by Crmeb

View all CVEs affecting Crmeb Java →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including database destruction, sensitive data theft, and remote code execution leading to full server takeover.

🟠

Likely Case

Database information disclosure, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via groupid parameter is straightforward to exploit. Public proof-of-concept exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://crmebjava.com

Restart Required: No

Instructions:

1. Check vendor website for patches or updated versions. 2. If no patch available, implement input validation and parameterized queries. 3. Consider upgrading to a newer version if available.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to reject malicious groupid parameter values

Implement regex validation: ^[0-9]+$ for groupid parameter

Web Application Firewall Rules

all

Block SQL injection patterns in groupid parameter

WAF rule: Detect SQL keywords in groupid parameter

🧯 If You Can't Patch

Implement parameterized queries/prepared statements for all database operations
Apply strict input validation and sanitization for the groupid parameter

🔍 How to Verify

Check if Vulnerable:

Test groupid parameter with SQL injection payloads like: groupid=1' OR '1'='1

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test with same payloads and verify no SQL errors or unexpected behavior occurs

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Unusual database queries from web application
Multiple failed login attempts following SQL errors

Network Indicators:

HTTP requests with SQL keywords in groupid parameter
Abnormal database connection patterns from web server

SIEM Query:

source="web_logs" AND (groupid="*' OR*" OR groupid="*UNION*" OR groupid="*SELECT*" OR groupid="*--*")

📊 Metadata

CVE ID: CVE-2024-28714

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-89

Published: March 28, 2024

Last Updated: June 10, 2025

🔗 References

http://crmebjava.com Permissions Required
https://gitee.com/ZhongBangKeJi/crmeb_java Product
https://github.com/JiangXiaoBaiJia/cve2/blob/main/1.md Exploit,Third Party Advisory
https://github.com/JiangXiaoBaiJia/cve2/blob/main/a.png Exploit
http://crmebjava.com Permissions Required
https://gitee.com/ZhongBangKeJi/crmeb_java Product
https://github.com/JiangXiaoBaiJia/cve2/blob/main/1.md Exploit,Third Party Advisory
https://github.com/JiangXiaoBaiJia/cve2/blob/main/a.png Exploit
https://www.vicarius.io/vsociety/posts/ssti-in-mblog-351-a-tale-of-a-glorified-rce-cve-2024-28713-28714 Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28714, you might also want to check these: