Login Sign Up

CVE-2024-6109

6.3 MEDIUM
SQL Injection

📋 TL;DR

This CVE describes a critical SQL injection vulnerability in Tailoring Management System 1.0's addmeasurement.php file. Attackers can remotely exploit this by manipulating the 'id' parameter to execute arbitrary SQL commands. Organizations using this specific version of the Tailoring Management System are affected.

💻 Affected Systems

Products:
  • itsourcecode Tailoring Management System
Versions: 1.0
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with the vulnerable addmeasurement.php file accessible via web.

📦 What is this software?

Tailoring Management System by Angeljudesuarez

View all CVEs affecting Tailoring Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and a public exploit exists.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but requires network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries and input validation in addmeasurement.php, or replace with a secure alternative system.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block exploitation attempts.

Input Validation

all

Add strict input validation for the 'id' parameter to only accept expected values.

🧯 If You Can't Patch

  • Isolate the system from the internet and restrict access to authorized users only.
  • Implement database-level controls: use least privilege accounts, enable audit logging, and restrict database functions.

🔍 How to Verify

Check if Vulnerable:

Check if addmeasurement.php exists in your Tailoring Management System installation and test for SQL injection using safe testing methods.

Check Version:

Check system documentation or configuration files for version information.

Verify Fix Applied:

Verify that parameterized queries are implemented in addmeasurement.php and test with SQL injection payloads to confirm they're blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts or parameter manipulation in web server logs

Network Indicators:

  • SQL injection patterns in HTTP requests to addmeasurement.php

SIEM Query:

web.url:*addmeasurement.php* AND (web.param:*id* AND (web.param.value:*OR* OR web.param.value:*UNION* OR web.param.value:*SELECT*))

📊 Metadata

CVE ID: CVE-2024-6109
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: June 18, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6109, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)