CVE-2024-57765

HighPublic PoC

Published: 15 January 2025

Published

15 January 2025

Modified

10 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0021 43.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2024-57765 is a SQL injection vulnerability (CWE-89) affecting MSFM versions prior to 2025.01.01. The issue arises via the s_name parameter in the table/list endpoint, allowing malicious SQL payloads to be injected and executed.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited remotely by unauthenticated attackers with low complexity and no user interaction. Successful exploitation enables high confidentiality impact, such as unauthorized access to sensitive database contents.

Advisories and additional details are available at https://gitee.com/wanglingxiao/mysiteforme/issues/IBFVK9. Mitigation involves upgrading to MSFM 2025.01.01 or later.

Details

CWE(s): CWE-89

Affected Products

wangl1989

mysiteforme

≤ 2025-01-01

MITRE ATT&CK Enterprise Techniques

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

The SQL injection vulnerability in the backend admin interface (s_name parameter) allows arbitrary database queries, enabling adversaries to collect data from databases.

References

https://gitee.com/wanglingxiao/mysiteforme/issues/IBFVK9
Exploit, Third Party Advisory · cve@mitre.org