Cyber Posture

CVE-2024-57665

CriticalPublic PoC

Published: 29 January 2025

Published
29 January 2025
Modified
23 May 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2024-57665 is a SQL injection vulnerability (CWE-89) in JFinalCMS version 1.0, specifically within the file rc/main/java/com/cms/entity/Content.java. The flaw occurs because the title parameter is user-controllable and is directly concatenated into the filterSql string without any filtering or sanitization, allowing malicious SQL payloads to be injected.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, such as executing arbitrary SQL queries to extract, modify, or delete database contents.

Details on the vulnerability discovery, including proof-of-concept exploitation steps, are documented in the referenced GitHub repository at https://github.com/Nbccccc/vulnerability_discovery/blob/main/JFinalCMS/JFinalCms%20SQL%20Injection.md. No vendor advisories, patches, or specific mitigation guidance are detailed in the provided information.

Details

CWE(s)
CWE-89

Affected Products

heyewei
jfinalcms
1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL Injection in public-facing CMS enables exploitation of public-facing application (T1190) and facilitates data collection from databases via arbitrary SQL queries (T1213.006).

References