chucrutis / CVE-2024-32369

Description: SQL Injection vulnerability in HSC Cybersecurity HSC Mailinspector v.5.2.17-3 allows a remote attacker to obtain sensitive information via a crafted payload to the start and limit parameter in the mliWhiteList.php component.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2024-32369

Description: SQL Injection vulnerability in HSC Cybersecurity HSC Mailinspector v.5.2.17-3 allows a remote attacker to obtain sensitive information via a crafted payload to the start and limit parameter in the mliWhiteList.php component.

Versions: Discovered in HSC Mailinspector 5.2.17-3 but applicable to all versions up to 5.2.18.

Proof of Concept

The SQL injection vulnerability occurs in the limit parameter of the application's request payload. Specifically, the payload exec=fetch&start=0&limit=30' is susceptible to SQL injection.

Payload: exec=fetch&start=0&limit=30'

Vulnerable Parameter:

  • Parameter: limit
  • Payload: exec=fetch&start=0&limit=30'

alt text

About

Description: SQL Injection vulnerability in HSC Cybersecurity HSC Mailinspector v.5.2.17-3 allows a remote attacker to obtain sensitive information via a crafted payload to the start and limit parameter in the mliWhiteList.php component.