CVE-2024-8332 – This CVE describes a critical SQL injection vul... (How to Fix)

Q: What is the severity of CVE-2024-8332?

CVE-2024-8332 has a CVSS score of 6.3 (MEDIUM). This CVE describes a critical SQL injection vulnerability in master-nan Sweet-CMS that allows remote attackers to execute arbitrary SQL commands through the /table/index endpoint. The vulnerability affects all versions up to commit 5f441e022b8876f07cde709c77b5be6d2f262e3f. Organizations using Sweet-CMS with internet-facing deployments are at immediate risk.

📋 TL;DR

This CVE describes a critical SQL injection vulnerability in master-nan Sweet-CMS that allows remote attackers to execute arbitrary SQL commands through the /table/index endpoint. The vulnerability affects all versions up to commit 5f441e022b8876f07cde709c77b5be6d2f262e3f. Organizations using Sweet-CMS with internet-facing deployments are at immediate risk.

💻 Affected Systems

Products:

master-nan Sweet-CMS

Versions: All versions up to commit 5f441e022b8876f07cde709c77b5be6d2f262e3f

Operating Systems: All platforms running Sweet-CMS

Default Config Vulnerable: ⚠️ Yes

Notes: This product uses rolling releases, so specific version numbers are not available. The vulnerability exists in the default configuration.

📦 What is this software?

Sweet Cms by Master Nan

View all CVEs affecting Sweet Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read-only access to non-sensitive data.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing instances extremely vulnerable.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit with basic tools. The remote unauthenticated nature makes this particularly dangerous.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 146359646a5a90cb09156dbd0013b7df77f2aa6c

Vendor Advisory: https://github.com/master-nan/sweet-cms/commit/146359646a5a90cb09156dbd0013b7df77f2aa6c

Restart Required: Yes

Instructions:

1. Pull the latest code from the Sweet-CMS repository. 2. Apply commit 146359646a5a90cb09156dbd0013b7df77f2aa6c. 3. Restart the Sweet-CMS application. 4. Verify the fix by testing the /table/index endpoint.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

Input Validation Filter

all

Implement custom input validation to sanitize all parameters passed to /table/index endpoint.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Sweet-CMS instances from sensitive systems.
Deploy database-level protections including minimal privilege accounts and query whitelisting.

🔍 How to Verify

Check if Vulnerable:

Test the /table/index endpoint with SQL injection payloads like ' OR '1'='1 and monitor for unexpected database responses.

Check Version:

git log --oneline | head -5

Verify Fix Applied:

Verify that commit 146359646a5a90cb09156dbd0013b7df77f2aa6c is present in your codebase and test SQL injection attempts against the patched endpoint.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts from single IP
Requests to /table/index with SQL keywords

Network Indicators:

Unusual database connection patterns
Large data transfers from application server

SIEM Query:

source="sweet-cms.log" AND ("table/index" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE"))

📊 Metadata

CVE ID: CVE-2024-8332

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: August 30, 2024

Last Updated: September 3, 2024

🔗 References

https://github.com/master-nan/sweet-cms/commit/146359646a5a90cb09156dbd0013b7df77f2aa6c Patch
https://github.com/master-nan/sweet-cms/issues/1 Exploit,Issue Tracking
https://github.com/master-nan/sweet-cms/issues/2 Exploit,Issue Tracking
https://vuldb.com/?ctiid.276208 Permissions Required
https://vuldb.com/?id.276208 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.398803 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8332, you might also want to check these: