CVE-2024-58309

CriticalPublic PoC

Published: 11 December 2025

Published

11 December 2025

Modified

30 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0038 59.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user…

credentials, and password hashes from the underlying database.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by validating and sanitizing untrusted inputs like the msgid parameter in shoutedit.php to ensure consistency with expected format.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and remediation of flaws such as the unauthenticated SQL injection in xbtitFM 4.1.18, eliminating the vulnerability through patching.

AC-6 Least Privilege partial match

prevent

AC-6 limits database privileges for the application to the minimum necessary, reducing the scope of data extraction possible even if SQL injection via msgid succeeds.

Security SummaryAI

CVE-2024-58309 is an unauthenticated SQL injection vulnerability (CWE-89) in xbtitFM version 4.1.18. The issue affects the /shoutedit.php component, where remote attackers can inject malicious SQL code through the msgid parameter to manipulate database queries. Published on 2025-12-11, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Any unauthenticated remote attacker can exploit this vulnerability by sending crafted HTTP requests to /shoutedit.php, leveraging MySQL functions like EXTRACTVALUE to extract sensitive data including database names, user credentials, and password hashes from the underlying database. No user interaction or privileges are required, enabling widespread exploitation against exposed xbtitFM instances.

Advisories detailing the vulnerability are available from VulnCheck at https://www.vulncheck.com/advisories/xbtitfm-unauthenticated-sql-injection-in-shouteditphp, with a proof-of-concept exploit published on Exploit-DB at https://www.exploit-db.com/exploits/51909. The official xbtitFM site is https://xbtitfm.eu.

Details

CWE(s): CWE-89

Affected Products

xbtitfm

4.1.18

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

Unauthenticated SQL injection in public-facing web app (T1190) enables extraction of sensitive data like credentials and hashes from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/51909
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/xbtitfm-unauthenticated-sql-injection-in-shouteditphp
Third Party Advisory · disclosure@vulncheck.com
https://xbtitfm.eu
Product · disclosure@vulncheck.com