CVE-2024-24572 MEDIUM

CVE-2024-24572: facileManager Authenticated Variable Manipulation leading to SQL Injection

Vendor Willyxj

Product facileManager

Weakness CWE-89 · SQLi

Published January 31, 2024

Last update October 17, 2024

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql variable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable.

Key dates

02Disclosure timeline

January 31, 2024 CVE published

October 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-24572

Related vulnerabilities

CVE-2024-24572: facileManager Authenticated Variable Manipulation leading to SQL Injection

01Description

02Disclosure timeline

03References

04Related CVE