CVE-2024-13093
Published: 02 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2024-13093 is a critical SQL injection vulnerability in code-projects Job Recruitment 1.0, affecting the Seeker Profile Handler component. The issue resides in the processing of the file /_parse/_call_main_search_ajax.php, where manipulation of the argument s1 enables SQL injection. It is associated with CWEs-74 and CWE-89, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the affected component.
Advisories and additional details are available via VulDB entries (https://vuldb.com/?ctiid.289901, https://vuldb.com/?id.289901, https://vuldb.com/?submit.472442) and the project site (https://code-projects.org/). A public exploit disclosure is hosted on GitHub (https://github.com/UnrealdDei/cve/blob/main/sql10.md) and may be used.
The vulnerability was published on 2025-01-02T09:15:18.047, with the exploit already disclosed to the public.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (/_parse/_call_main_search_ajax.php) enables exploitation of public-facing applications (T1190) and facilitates collection of data from databases via arbitrary SQL queries (T1213.006).