Cyber Posture

CVE-2024-57162

HighPublic PoC

Published: 16 January 2025

Published
16 January 2025
Modified
19 March 2025
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 23.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2024-57162 is an SQL Injection vulnerability (CWE-89) in Campcodes Cybercafe Management System version 1.0, specifically affecting the /ccms/view-user-detail.php component. Published on 2025-01-16, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue accessible over the network.

The vulnerability can be exploited by a high-privileged user (PR:H) remotely with low attack complexity and no user interaction required. Successful exploitation grants high impacts across confidentiality, integrity, and availability, enabling the attacker to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion within the application's database.

Mitigation details are outlined in the referenced advisory at https://github.com/h1-wh0areu/bug_report/blob/main/cybercafe-management-system/SQLi-1.md.

Details

CWE(s)
CWE-89

Affected Products

campcodes
cybercafe management system
1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in the public-facing web application (/ccms/view-user-detail.php) enables exploitation for initial access (T1190) and arbitrary data collection from the backend database (T1213.006).

References