Login Sign Up

CVE-2024-6735

6.3 MEDIUM
SQL Injection

📋 TL;DR

This is a critical SQL injection vulnerability in Tailoring Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the setgeneral.php file. Attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Tailoring Management System
Versions: 1.0
Operating Systems: All platforms running the web application
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability affects the setgeneral.php file specifically through sitename, email, mobile, sms, and currency parameters.

📦 What is this software?

Tailoring Management System by Angeljudesuarez

View all CVEs affecting Tailoring Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploits exist.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub and vuldb.com, making this easily exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

1. Check vendor website for updates 2. Apply any available patches 3. If no patch exists, implement workarounds or consider alternative software

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for all user inputs in setgeneral.php

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting setgeneral.php parameters

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict internal network access
  • Implement strict network segmentation and monitor all traffic to/from the affected system

🔍 How to Verify

Check if Vulnerable:

Check if Tailoring Management System version 1.0 is installed and if setgeneral.php exists and accepts user input without proper sanitization.

Check Version:

Check application documentation or configuration files for version information.

Verify Fix Applied:

Test the setgeneral.php endpoint with SQL injection payloads to ensure they are properly blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in application logs
  • Multiple failed login attempts or parameter manipulation in setgeneral.php access logs

Network Indicators:

  • SQL injection patterns in HTTP requests to setgeneral.php
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="*setgeneral.php*" AND (query="*' OR *" OR query="*;--*" OR query="*UNION*" OR query="*SELECT*" OR query="*INSERT*" OR query="*UPDATE*")

📊 Metadata

CVE ID: CVE-2024-6735
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: July 15, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6735, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)