Login Sign Up

CVE-2024-34949

8.2 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Likeshop allows attackers to execute arbitrary SQL commands through the OrderLogic::getOrderList function at the /admin/order/lists.html endpoint. Attackers can potentially access, modify, or delete database content. All Likeshop instances before version 2.5.7 are affected.

💻 Affected Systems

Products:
  • Likeshop
Versions: All versions before 2.5.7
Operating Systems: Any OS running Likeshop
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the admin endpoint, but authentication status is not specified in available information.

📦 What is this software?

Likeshop by Likeshop

View all CVEs affecting Likeshop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential administrative account takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit with basic knowledge of SQL and web requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.7

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Backup your database and application files. 2. Download Likeshop version 2.5.7 or later from official sources. 3. Replace vulnerable files with patched version. 4. Restart the web server and application services.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation and parameterized queries for the affected endpoint

Not applicable - requires code modification

Access Restriction

linux

Restrict access to /admin/order/lists.html endpoint using web server rules or firewall

# Example nginx location block restriction
location /admin/order/lists.html {
    deny all;
    return 403;
}

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) with SQL injection protection rules
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check Likeshop version in admin panel or application configuration files. If version is below 2.5.7, system is vulnerable.

Check Version:

Check admin panel or examine application configuration files for version information

Verify Fix Applied:

Verify version is 2.5.7 or higher and test the /admin/order/lists.html endpoint with SQL injection test payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts to admin endpoint
  • Requests to /admin/order/lists.html with SQL keywords

Network Indicators:

  • HTTP POST/GET requests to vulnerable endpoint containing SQL syntax
  • Unusual database connection patterns

SIEM Query:

web.url:*admin/order/lists.html AND (web.query:*SELECT* OR web.query:*UNION* OR web.query:*OR*1=1*)

📊 Metadata

CVE ID: CVE-2024-34949
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-89
Published: May 20, 2024
Last Updated: August 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34949, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)