CVE-2024-57430

CriticalPublic PoC

Published: 06 February 2025

Published

06 February 2025

Modified

24 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0091 76.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

Security Summary

CVE-2024-57430 is an SQL injection vulnerability (CWE-89) affecting the pjActionGetUser function in PHPJabbers Cinema Booking System version 2.0. The flaw allows attackers to manipulate database queries by injecting malicious input through the column parameter, potentially compromising the integrity and confidentiality of the underlying database.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is highly severe and remotely exploitable over the network with low complexity, requiring no authentication, privileges, or user interaction. Any unauthenticated attacker can leverage this to achieve unauthorized information disclosure, privilege escalation, or full database manipulation.

Advisories and additional details are available in the referenced GitHub repository at https://github.com/ahrixia/CVE-2024-57430, which likely includes proof-of-concept information, and the vendor's product page at https://www.phpjabbers.com/cinema-booking-system/. Practitioners should consult these sources for any patch availability or mitigation guidance.

Details

CWE(s): CWE-89

Affected Products

phpjabbers

cinema booking system

2.0

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application enables exploitation (T1190), privilege escalation via vuln (T1068), unauthorized database access/disclosure (T1213.006), and database manipulation (T1565.001).

References

https://github.com/ahrixia/CVE-2024-57430
Exploit, Third Party Advisory · cve@mitre.org
https://www.phpjabbers.com/cinema-booking-system/
Product · cve@mitre.org